Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
Security researchers at Kaspersky’s Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document, which downloaded second-stage payloads and gained persistence on compromised systems.
One of the malicious payloads is an unknown intermediary backdoor that helps transfer files between the command and control servers and hacked devices, run command shells, create new processes, delete files, and more.
“In our telemetry, these files turned out to leave footprints of the MysterySnail RAT malware, an implant we described back in 2021. In observed infection cases, MysterySnail RAT was configured to persist on compromised machines as a service,” Kaspersky said.
“Notably, a short time after we blocked the recent intrusions related to MysterySnail RAT, we observed the attackers to continue conducting their attacks, by deploying a repurposed and more lightweight version of MysterySnail RAT. This version consists of a single component, and that’s why we dubbed it MysteryMonoSnail.”
As they found, the upgraded RAT malware supports dozens of commands, allowing attackers to manage services on the compromised device, execute shell commands, spawn and kill processes, and manage files, among other things.
First spotted almost four years ago
This latest backdoor version is similar to the original MysterySnail RAT, which Kaspersky first detected in late August 2021 in widespread espionage attacks against IT companies, military/defense contractors, and diplomatic entities in Russia and Mongolia.
At the time, the IronHusky hacking group was observed deploying the malware on systems compromised using zero-day exploits targeting a Windows Win32k kernel driver vulnerability (CVE-2021-40449).
The Chinese APT was first spotted by Kaspersky in 2017 while investigating a campaign targeting Russian and Mongolian government entities with the end goal of collecting intelligence on Russian-Mongolian military negotiations.
One year later, Kaspersky also observed them exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882) to spread RATs typically used by Chinese hacking groups, including PoisonIvy and PlugX.
The Kaspersky report published on Thursday includes indicators of compromise and additional technical details about IronHusky’s recent attacks using the MysterySnail RAT.
