Security News > 2021 > October > Windows Zero-Day Actively Exploited in Widespread Espionage Campaign

Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat espionage campaign this summer.

As mentioned, the cybercriminals were using the exploit as part of a wider effort to install a remote shell on target servers, i.e., the MysterySnail malware, which was unknown prior to this campaign.

These are likely anti-analysis functions, they added, noting that the code also contains other redundant logics and "The presence of a relatively large number of exported functions while the real work is performed by only one of them."

From there, the malware gathers basic information about the victim machine: computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in user name and campaign name.

During Kaspersky's analysis of the MysterySnail RAT, they linked the campaign with the IronHusky group APT activity thanks to the reuse of C2 infrastructure used in other attacks, dating back to 2012.

Kaspersky researchers found variants of MysterySnail used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities, according to the writeup.

News URL

https://threatpost.com/windows-zero-day-exploited-espionage/175432/