Kaspersky researchers have brought to light the reappearance of the MysterySnail RAT, a malicious tool with ties to the Chinese IronHusky APT group, which had fallen silent for years. This RAT has resurfaced with new tactics and a modular design, showcasing the evolving nature of cyber threats in today’s digital landscape.
The discovery of the MysterySnail RAT came about during an investigation into the CVE-2021-40449 zero-day vulnerability by Kaspersky researchers in 2021. At that time, it was associated with the IronHusky APT group, known for its Chinese-speaking origins and activity dating back to at least 2017. Following the initial report, details about this malware seemed to have disappeared from public view.
Recent observations, however, have revealed a resurgence of the MysterySnail RAT in the form of a new version targeting government entities in Mongolia and Russia. This renewed targeting aligns with past intelligence indicating IronHusky’s specific interest in these two countries as far back as 2018, suggesting that the RAT has been operational covertly for a number of years.
The latest infection vector utilized a malicious MMC script disguised as a document from Mongolia’s National Land Agency, ALAMGAC. This script initiated the download of a ZIP archive from fileio, containing a secondary malicious component alongside a decoy DOCX file. The execution of the script led to the extraction of the archive, with the decoy placed in a specific directory and the execution of CiscoCollabHost.exe. The malware ensured persistence by configuring CiscoCollabHost.exe to run at startup and opening the decoy document to deceive the user.
While the use of legitimate processes like CiscoCollabHost.exe added a layer of camouflage, the archive also included a malicious DLL for DLL Sideloading, acting as a new intermediary backdoor for C2 communication. This backdoor enabled various malicious activities through the execution of around 40 commands, including file system management, command execution, service management, and network resource connections.
A notable upgrade from the previous version was the inclusion of five additional DLL modules for command execution, enhancing the malware’s capabilities. Furthermore, the new version established persistence through encrypted payloads loaded into memory via DLL hollowing, showcasing sophisticated evasion techniques employed by the threat actors.
Following recent intrusions, the threat actors adapted by deploying a modified variant named MysteryMonoSnail, featuring streamlined communication via WebSocket protocol and a reduced set of basic commands. This evolution underscores the resilience and adaptability of cyber threats, emphasizing the importance of vigilance in cybersecurity defense.
The resurgence of the MysterySnail RAT serves as a stark reminder that old malware does not simply fade away; instead, it evolves to meet new challenges. Staying informed and proactive in addressing emerging and resurfacing cybersecurity threats remains essential in safeguarding digital systems against evolving risks.