MysterySnail Malware Exploits Another Windows Zero-day

mystersnail zero day exploit windows - featured image news

Update your antivirus and OS, because there’s yet another zero-day vulnerability in Windows operating systems.

Researchers at Kaspersky have discovered a string of attacks conducted by Chinese hacking group APT in late August and early September. The attackers focused their attacks on a, at the time, unpatched zero-day vulnerability on the Windows Win32k driver. This elevation-of-privilege exploit then helped the hackers create MysterySnail RAT, a trojan designed to help hackers get into Windows-running devices.

Here’s a list of operating systems affected by this exploit:

  • Microsoft Windows Vista
  • Microsoft Windows 7
  • Microsoft Windows 8
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 10 (build 14393)
  • Microsoft Windows Server 2016 (build 14393)
  • Microsoft Windows 10 (build 17763)
  • Microsoft Windows Server 2019 (build 17763)

At the point of discovery, the traces of attacks were only found on Windows Server machines, but researchers warn that this exploit can easily affect Windows client versions. The trojan works in several steps, executing no less than 20 commands along the way, and even includes measures against lab testing.

“The malware enumerates the values under the “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer” registry key and uses them to request tunneling through a proxy server in case it fails to connect to the C2 directly.

The malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy,” writes Costin Raiu, director of the global research and analysis team at Kaspersky Labs.

As it goes with similar exploits, Microsoft was promptly notified and has already issued a patch for the exploit CVE-2021-40449. So, once again, update your Windows OS as soon as you can, especially if you’re using Windows Server since that’s what the hackers are targeting in this campaign. For extra security, install Kaspersky antivirus on your home and office machines, as this was the company that discovered the attacks in the first place.