BACKGROUND:
Researchers at Kaspersky technologies are reporting in MysterySnail attacks with Windows zero-day about a Chinese RAT attacking multiple Windows servers using a zero-day privilege escalation for insertion. Reporting: “We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules.” Excerpts:
… we analyzed the malware payload used along with the zero-day exploit and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.
We are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012.
The discovered exploit is written to support the following Windows products: Microsoft Windows: Vista, Windows 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, 10 (build 14393), Server 2016 (build 14393), 10 (build 17763) and Server 2019 (build 17763).