Chinese Hackers Target Russian Government with Upgraded RAT Malware
Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) have spotted a new variant of the MysterySnail remote access trojan (RAT) malware being used by Chinese-speaking IronHusky hackers to target Russian and Mongolian government organizations. This latest upgrade is part of an ongoing campaign by the group to compromise sensitive systems and steal sensitive information.
According to Kaspersky, the malicious payload was deployed using a malicious MMC script camouflaged as a Word document, which downloaded second-stage payloads and gained persistence on compromised systems. The researchers discovered that one of the malicious payloads is an unknown intermediary backdoor that allows the attackers to transfer files between the command and control servers and hacked devices, run command shells, create new processes, delete files, and more.
"In our telemetry, these files turned out to leave footprints of the MysterySnail RAT malware, an implant we described back in 2021. In observed infection cases, MysterySnail RAT was configured to persist on compromised machines as a service," Kaspersky said. "Notably, a short time after we blocked the recent intrusions related to MysterySnail RAT, we observed the attackers to continue conducting their attacks, by deploying a repurposed and more lightweight version of MysterySnail RAT. This version consists of a single component, and that's why we dubbed it MysteryMonoSnail."
The upgraded RAT malware supports dozens of commands, allowing attackers to manage services on the compromised device, execute shell commands, spawn and kill processes, and manage files, among other things. The first spotted almost four years ago in widespread espionage attacks against IT companies, military/defense contractors, and diplomatic entities in Russia and Mongolia.
The IronHusky hacking group was first detected by Kaspersky in 2017 while investigating a campaign targeting Russian and Mongolian government entities with the end goal of collecting intelligence on Russian-Mongolian military negotiations. The Chinese APT was also observed exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882) to spread RATs typically used by Chinese hacking groups, including PoisonIvy and PlugX.
The Kaspersky report published on Thursday includes indicators of compromise and additional technical details about IronHusky's recent attacks using the MysterySnail RAT. This latest update serves as a reminder for organizations to remain vigilant against cyber threats and implement robust security measures to protect themselves against such attacks.
New Vulnerabilities and Emerging Threats
Stay up-to-date with the latest news on emerging threats and vulnerabilities by following us on social media or subscribing to our newsletter. We'll keep you informed about the latest developments in the world of cybersecurity.