Chinese APT group IronHusky exploits zero-day Windows Server privilege escalation

Attackers used exploit to deploy a new remote shell Trojan called MysterySnail.

One of the vulnerabilities patched by Microsoft has been exploited by a Chinese cyber-espionage group since at least August. The attack campaigns targeted IT companies, defence contractors and diplomatic entities.

According to researchers from Kaspersky Lab, the malware deployed with the exploit and its command-and-control infrastructure point to a connection with a known Chinese APT group tracked as IronHusky that has been operating since 2017, but also with other China-based APT activity going back to 2012.

Privilege escalation vulnerability in Windows GDI driver

The group was observed leveraging a previously unknown vulnerability in Win32k.sys, a system driver that's part of the Windows Graphics Device Interface (GDI), which has been a common source of vulnerabilities in the past.

The flaw, tracked as CVE-2021-40449, affects all supported Windows versions and those that are no longer supported and allows code to be executed with system privileges.

Since this is a privilege escalation vulnerability, it is only used to gain complete control of the targeted systems but is not the original method of entry. The exploit used in the attacks borrows code from a public exploit for another Wink32k vulnerability patched in 2016 (CVE-2016-3309). Despite the exploit being written to support all versions of Windows since Vista, the Kaspersky researchers only saw it being used on Windows servers.

"In the discovered exploit attackers are able to achieve the desired state of memory with the use of GDI palette objects and use a single call to a kernel function to build a primitive for reading and writing kernel memory," the researchers said in their report.

"This step is easily accomplished, because the exploit process is running with Medium IL and therefore it’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules. In our opinion, it would be preferable if the Medium IL processes had limited access to such functions as NtQuerySystemInformation or EnumDeviceDrivers."

MysterySnail RAT

The hackers used the privilege escalation exploit to deploy a remote shell Trojan (RAT) that Kaspersky dubbed MysterySnail. Attackers can use this malware program to execute Windows shell commands, gather information about the disks and folders, delete, read and upload files, kill processes and more.

A sample of the malware was first uploaded to the VirusTotal database on August 10 and stands out through its unusually large size of 8.29MB. This is because the malware bundles a stand-alone version of the OpenSSL library, which it uses for encrypted communications, and two very large functions that only waste processor clock cycles and are probably meant to evade emulation and antivirus detection.

Another interesting feature is that the malware attempts to tunnel its communications through a proxy server if connecting to the command-and-control server directly is blocked. It does this by enumerating the values under the “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer” registry key.

"The analysis of the MysterySnail RAT helped us discover campaigns using other variants of the analysed malware as well as study and document the code changes made to this tool over a six-month period," the researchers said.

"With the help of Kaspersky Threat Attribution Engine (KTAE) and the discovery of early variants of MysterySnail RAT, we were able to find direct code and functionality overlap with the malware attributed to the IronHusky actor."

IronHusky has been running cyber-espionage campaigns since 2017 and its previous target selection suggested a geopolitical agenda. For example, the group targeted Mongolian government entities, which are not a common target, before a meeting with the International Monetary Fund in 2018.

Before that, the group was seen targeting Russian military contractors. At the time, it was using off-the-shelf Trojans like PlugX and PoisonIvy that were typical of Chinese-speaking APT activity.