An upgraded version of the MysterySnail remote access trojan (RAT) malware has been uncovered by researchers, shedding light on the sophisticated cyberattacks carried out by the Chinese-speaking IronHusky hacker group targeting government organizations in Russia and Mongolia.
The newly discovered version of MysterySnail malware was detected during an investigation into recent intrusions, revealing that it is being distributed through a malicious MMC script disguised as a Word document. Once executed, the script downloads additional payloads and establishes persistent access on the compromised systems.
A crucial element of this attack is an intermediary backdoor that facilitates file transfers between the hackers’ command and control servers and the infected devices. This backdoor also empowers the attackers to execute commands, create new processes, delete files, and carry out other malicious activities.
Researchers have noted that the MysterySnail RAT malware was initially identified in 2021, with distinctive traces found in their telemetry data from recent attacks. In response to the disruption of these intrusions, the attackers swiftly adapted by deploying a lighter version of the malware known as MysteryMonoSnail. Although streamlined, this new variant retains the core functionalities of its predecessor, enabling it to manage services, execute shell commands, spawn and terminate processes, and manipulate files.
Originally discovered four years ago, the MysterySnail RAT was employed in espionage campaigns targeting Russian and Mongolian entities, including military and defense contractors, as well as diplomatic institutions. The attackers utilized sophisticated techniques, such as exploiting a Windows kernel driver vulnerability (CVE-2021-40449), to infiltrate systems.
The IronHusky hacking group, responsible for these cyberattacks, has been monitored by researchers since 2017 when they first targeted Russian and Mongolian government bodies to gather sensitive intelligence, particularly related to Russian-Mongolian military negotiations. Throughout the years, the group has evolved its tactics, utilizing various vulnerabilities, including a Microsoft Office memory corruption flaw (CVE-2017-11882), to deploy different RATs like PoisonIvy and PlugX.
This latest discovery of the MysterySnail RAT underscores the ongoing threat posed by advanced persistent threat (APT) groups, especially those focused on espionage and intelligence gathering. It serves as a reminder of the continuous efforts of cybercriminals to infiltrate secure systems and access sensitive information.
As cybersecurity remains a top priority for governments and organizations worldwide, the proactive identification and mitigation of such advanced malware strains are crucial to safeguarding critical infrastructure and sensitive data. The collaborative efforts of researchers, cybersecurity professionals, and law enforcement agencies are essential in combating these evolving cyber threats effectively.
In conclusion, the emergence of the upgraded MysterySnail malware highlights the evolving tactics of cybercriminals and the importance of staying vigilant against sophisticated cyberattacks targeting government entities and critical infrastructure. By enhancing cybersecurity measures and information sharing, organizations can better protect themselves against malicious actors seeking to exploit vulnerabilities and compromise sensitive data.