[MART] - Daily Diary #368 - IronHusky APT Exploited Zero-day To Deploy Malware

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/13/2021 - Diary entry #368:


IronHusky APT group has used during attacks between August and September, a Windows Zero-Day exploit to deploy a Remote Access Trojan (RAT) named MysterySnail. The RAT has code similarities and it re-uses C2 infrastructures that can be linked to the Chinese-speaking APT group.


The vulnerability is a use-after-free bug in the Win32k kernel driver, tracked as CVE-2021-40449, that was used to escalate privileges on the affected systems. This vulnerability allows to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. However, it was recently patched on October 12, 2021, as a part of the October Patch Tuesday, along with 71 other CVEs.


MysterySnail is not sophisticated and has functionality similar to many other trojans. Besides gathering general information about the infected machine, it can launch "cmd.exe" shells, create/kill processes, check new drives, create/upload/read files, retrieve directories lists, and create/transfer data using a proxy connection to a provided host.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211013/6d036a9b/attachment.htm>