An uncovered new, upgraded versions of the MysterySnail remote access trojan (RAT) malware, which is being deployed by the Chinese-speaking IronHusky hacker group has been recovered. The group has been targeting government organizations in Russia and Mongolia in a series of sophisticated cyberattacks.
The updated MysterySnail malware, discovered during an investigation into recent intrusions, is being spread through a malicious MMC script disguised as a Word document. Upon execution, the script downloads additional payloads and establishes persistent access on the compromised systems.
One of the key components in this attack is an intermediary backdoor that facilitates file transfers between the hackers’ command and control servers and the infected devices. This backdoor also enables the attackers to execute commands, create new processes, delete files, and perform other malicious actions.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The researchers have explained that in their telemetry, they identified the distinctive traces of MysterySnail RAT malware, which was initially discovered in 2021. In these most recent attacks, the malware was configured to persist on compromised machines as a service.
Following the disruption of these intrusions, researchers noticed that the attackers quickly adapted their approach by deploying a new, lighter version of MysterySnail.
Dubbed MysteryMonoSnail, this streamlined version consists of a single component but retains the core capabilities of its predecessor, including the ability to manage services, execute shell commands, spawn and terminate processes, and manipulate files.
First detected nearly four years ago, the MysterySnail RAT was originally found in espionage campaigns targeting Russian and Mongolian entities, including military and defense contractors, as well as diplomatic institutions. The attackers used sophisticated techniques, such as exploiting a Windows kernel driver vulnerability (CVE-2021-40449), to infiltrate systems.
ALSO READ: Call for Chapters: Contribute to the Book “Cyber Crime – From Theory to Practice”
Researchers have been tracking the IronHusky hacking group since 2017, when the group first targeted Russian and Mongolian government bodies with the aim of collecting sensitive intelligence, particularly related to Russian-Mongolian military negotiations. Over the years, the group has evolved its tactics, leveraging multiple vulnerabilities, including a Microsoft Office memory corruption flaw (CVE-2017-11882), to deploy various RATs such as PoisonIvy and PlugX.
This latest iteration of the MysterySnail RAT serves as a reminder of the persistent threat posed by advanced persistent threat (APT) groups, particularly those focused on espionage and intelligence gathering.
Source: Social Media