Security News > 2021 > October > Windows Zero-Day Actively Exploited in Widespread Espionage Campaign

Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat espionage campaign this summer.
As mentioned, the cybercriminals were using the exploit as part of a wider effort to install a remote shell on target servers, i.e., the MysterySnail malware, which was unknown prior to this campaign.
These are likely anti-analysis functions, they added, noting that the code also contains other redundant logics and "The presence of a relatively large number of exported functions while the real work is performed by only one of them."
From there, the malware gathers basic information about the victim machine: computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in user name and campaign name.
During Kaspersky's analysis of the MysterySnail RAT, they linked the campaign with the IronHusky group APT activity thanks to the reuse of C2 infrastructure used in other attacks, dating back to 2012.
Kaspersky researchers found variants of MysterySnail used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities, according to the writeup.
News URL
https://threatpost.com/windows-zero-day-exploited-espionage/175432/
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- Google fixes Chrome zero-day exploited in espionage campaign (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)