Recently, Kaspersky researchers have brought to light the reappearance of the MysterySnail RAT, a malicious software associated with the Chinese IronHusky APT group. This RAT has resurfaced after a period of dormancy and is now actively targeting government entities in Mongolia and Russia with new tactics and a modular design.
The world of cybercriminals is ever-evolving, with new malware constantly being developed to launch cyberattacks. Some of these malicious tools have a long lifespan, while others fade into obscurity relatively quickly. In the year 2021, Kaspersky researchers stumbled upon the MysterySnail RAT during their investigation of a zero-day vulnerability, CVE-2021-40449. This discovery shed light on a short-lived implant that had been relatively unknown until that point.
Initially, the MysterySnail RAT was believed to be linked to the IronHusky APT group, a threat actor that primarily operates in a Chinese-speaking capacity and has been active since at least 2017. However, after the initial report, there was no further public information about this malware until recent events unfolded.
Recent observations have revealed a new version of the MysterySnail RAT being deployed to target government entities in Mongolia and Russia. This aligns with previous intelligence indicating IronHusky’s specific interest in these two countries dating back to 2018. The resurgence of this RAT suggests that it has been active covertly for several years, carrying out targeted attacks in these regions.
The latest infection vector for the MysterySnail RAT involved a malicious MMC script disguised as a document from Mongolia’s National Land Agency (ALAMGAC). This script, when executed, downloaded a ZIP archive from fileio containing a secondary malicious component and a decoy DOCX file. The decoy file was placed in a specific directory, and the malicious component was executed for persistence on the infected system.
Unlike previous versions, the new MysterySnail RAT can execute about 40 commands, allowing cybercriminals to carry out various malicious activities such as file system management, command execution, service management, and network resource connection. Additionally, this new version utilizes five additional DLL modules for enhanced functionality, a significant upgrade from its predecessor.
Furthermore, the new version of the RAT establishes persistence on infected machines as a service, with the malicious DLL loading an encrypted payload using advanced algorithms. The threat actors behind the MysterySnail RAT have demonstrated their adaptability by deploying a modified variant named MysteryMonoSnail, which communicates with the same C2 servers but uses different protocols and a reduced set of commands.
The return of the MysterySnail RAT serves as a stark reminder that old malware doesn’t simply disappear; it evolves and adapts to stay relevant in the ever-changing cybersecurity landscape. This resurgence underscores the importance of staying vigilant and informed about emerging and resurfacing cybersecurity threats to ensure the security of systems and data.