Chinese Hackers are Updating the MysterySnail Malware to Gain Access to Sensitive Government Websites

Post Views: 129

Chinese Hackers are Updating the MysterySnail Malware to Gain Access to Sensitive Government Websites

The Chinese hacker collective IronHusky has discovered and recovered fresh, enhanced versions of the MysterySnail remote access trojan (RAT) virus. In a series of advanced cyberattacks, the gang has been focusing on government agencies in Mongolia and Russia.

Through a malicious MMC script masquerading as a Word document, the new MysterySnail malware — which was found after an examination into recent intrusions, is spreading. When the script is run, it creates permanent access on the infected systems and downloads more payloads.

An intermediate backdoor that allows file transfers between the compromised devices and the hackers’ command and control servers is one of the attack’s main elements. Additionally, this backdoor gives the attackers the ability to run commands, start new processes, remove files, and carry out other nefarious tasks.

According to the researchers, they were able to identify the unique traces of MysterySnail RAT malware, which was first found in 2021, in their telemetry. The malware in these most recent attacks was set up to run as a service on compromised computers.

After these incursions were stopped, researchers observed that the attackers immediately changed their strategy and used a lighter, newer version of MysterySnail.

This simplified version, called MysteryMonoSnail, just has one component but still has all of the features of its predecessor, such as managing services, executing shell commands, spawning and terminating processes, and manipulating files.

The MysterySnail RAT was discovered almost four years ago in espionage activities that targeted Russian and Mongolian organizations, such as military and defense contractors and diplomatic establishments. To get access to systems, the attackers employed advanced methods, including taking advantage of a Windows kernel driver vulnerability (CVE-2021-40449).

Since the IronHusky hacking group began targeting Russian and Mongolian government entities in 2017 in an effort to gather sensitive intelligence, notably about military negotiations between Russia and Mongolia, researchers have been monitoring the group. The group’s strategies have changed over time, utilizing a number of vulnerabilities, such as a memory corruption flaw in Microsoft Office (CVE-2017-11882), to implement several RATs, including PlugX and PoisonIvy.

The most recent version of the MysterySnail RAT is a reminder of the ongoing danger that advanced persistent threat (APT) organizations, especially those who specialize in espionage and intelligence collection, pose.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Union IT Minister Ashwini Vaishnaw Launched Aadhar App To Mitigate Forging Aadhar Cards