BACKGROUND:
Researchers at Kaspersky technologies are reporting in MysterySnail attacks with Windows zero-day about a Chinese RAT attacking multiple Windows servers using a zero-day privilege escalation for insertion. Reporting: “We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules.” Excerpts:
… we analyzed the malware payload used along with the zero-day exploit and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.
We are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012.
The discovered exploit is written to support the following Windows products: Microsoft Windows: Vista, Windows 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, 10 (build 14393), Server 2016 (build 14393), 10 (build 17763) and Server 2019 (build 17763).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.