Chinese Apt Ironhusky Deploys Updated Mysterysnail Rat On Russia

Kaspersky researchers study nan reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and Russia aft years of silence. Learn astir its caller strategies and modular design.

Cybercriminals are perpetually processing new malware for cyberattacks. These malicious devices person varying lifespans; immoderate malware families person been tracked for decades, while others vanish from nationalist consciousness comparatively quickly. In 2021, Kaspersky researchers discovered 1 specified short-lived implant during their investigation of nan CVE-2021-40449 zero-day vulnerability, which they dubbed MysterySnail RAT.

At nan clip of its discovery, MysterySnail RAT was linked to IronHusky APT, a Chinese-speaking threat group progressive since astatine slightest 2017. After nan first report, nary further nationalist specifications astir this malware emerged.

However, caller observations person uncovered attempted deployments of a caller type of MysterySnail RAT targeting authorities entities successful Mongolia and Russia. This targeting aligns pinch erstwhile intelligence indicating IronHusky’s circumstantial liking successful these 2 countries dating backmost to 2018, suggesting nan RAT has been progressive covertly for respective years.

A recent infection began pinch a malicious MMC book disguised arsenic a archive from Mongolia’s National Land Agency (ALAMGAC). This book downloaded a ZIP archive from fileio, which contained a secondary malicious constituent and a decoy DOCX file. The book would past extract nan archive, placing nan decoy successful %AppData%\Cisco\Plugins\X86\bin\etc\Update, and execute CiscoCollabHost.exe from nan archive. For persistence, it configured CiscoCollabHost.exe to tally astatine start-up and opened nan decoy archive to deceive nan user.

While CiscoCollabHost.exe was legitimate, nan archive besides held a malicious DLL named CiscoSparkLauncher.dll, designed for DLL Sideloading by nan morganatic process, acting arsenic a caller intermediary backdoor. This backdoor facilitated C2 connection by leveraging nan open-source piping-server project.

The caller type tin execute astir 40 commands, enabling various malicious activities for illustration record strategy management, bid execution via cmd.exe process creation and termination, work management, and web assets connection.

Unlike nan 2021 samples, nan caller type uses 5 further DLL modules for bid execution, a cardinal upgrade from nan erstwhile version’s azygous malicious component.

Moreover, it was configured to found persistence connected infected machines arsenic a service, and nan malicious DLL loads a payload encrypted utilizing RC4 and XOR algorithms. Upon decryption, it gets loaded into representation done DLL hollowing, facilitated by codification wrong nan run_pe library.

Following nan disruption of caller MysterySnail RAT intrusions, nan threat actors persisted by deploying a modified, single-component version named MysteryMonoSnail. This streamlined type communicated pinch nan aforesaid C2 servers arsenic nan original RAT but utilised nan WebSocket protocol alternatively of HTTP and possessed a reduced group of only 13 basal commands, enabling actions for illustration listing directories, penning files, and launching processes and distant shells.

The return of MysterySnail RAT shows really aged malware doesn’t conscionable disappear; they evolve. It’s besides a reminder that staying connected apical of caller and resurfacing cybersecurity threats is cardinal to keeping systems secure.