Security News > 2021 > October > Windows Zero-Day Actively Exploited in Widespread Espionage Campaign
Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat espionage campaign this summer.
As mentioned, the cybercriminals were using the exploit as part of a wider effort to install a remote shell on target servers, i.e., the MysterySnail malware, which was unknown prior to this campaign.
These are likely anti-analysis functions, they added, noting that the code also contains other redundant logics and "The presence of a relatively large number of exported functions while the real work is performed by only one of them."
From there, the malware gathers basic information about the victim machine: computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in user name and campaign name.
During Kaspersky's analysis of the MysterySnail RAT, they linked the campaign with the IronHusky group APT activity thanks to the reuse of C2 infrastructure used in other attacks, dating back to 2012.
Kaspersky researchers found variants of MysterySnail used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities, according to the writeup.
News URL
https://threatpost.com/windows-zero-day-exploited-espionage/175432/
Related news
- New Windows Themes zero-day gets free, unofficial patches (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)