MysterySnail crawls through zero-day vulnerability

Our security technologies detected the exploitation of a previously unknown vulnerability in the Win32k driver.

Our Behavioral Detection Engine and Exploit Prevention technologies recently detected the exploitation of a vulnerability in the Win32k kernel driver, leading to an investigation of the entire cybercriminal operation behind the exploitation. We reported the vulnerability (CVE-2021-40449) to Microsoft, and the company patched it in a regular update released on October 12. Therefore, as usual after Patch Tuesday, we recommend updating Microsoft Windows as soon as possible.

What CVE-2021-40449 was used for

CVE-2021-40449 is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in our Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. Cybercriminals then use the leak to elevate the privileges of another malicious process.

Through privilege escalation, attackers were able to download and launch MysterySnail, a Remote Access Trojan (RAT) that gives attackers access to the victim’s system.

What MysterySnail does

The Trojan begins by gathering information about the infected system and sends it to the C&C server. Then, through MysterySnail, the attackers can issue various commands. For example, they can create, read, or delete a specific file; create or delete a process; get a directory list; or open a proxy channel and send data through it.

MysterySnail’s other features include the ability to view the list of connected drives, to monitor the connection of external drives in the background, and more. The Trojan can also launch the cmd.exe interactive shell (by copying the cmd.exe file to a temporary folder under a different name).

Attacks through CVE-2021-40449

The exploit for this vulnerability covers a string of operating systems in the Microsoft Windows family: Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (build 14393), Server 2016 (build 14393), 10 (build 17763), and Server 2019 (build 17763). According to our experts, the exploit exists specifically to escalate privileges on server versions of the OS.

After detecting the threat, our experts established that the exploit and the MysterySnail malware it loads into the system have seen wide use in espionage operations against IT companies, diplomatic organizations, and companies working for the defense industry.

Thanks to the Kaspersky Threat Attribution Engine, our experts were able to find similarities in the code and functionality of MysterySnail and malware used by the IronHusky group. Moreover, a Chinese-language APT group used some of the MysterySnail’s C&C server addresses in 2012.

For more information about the attack, including a detailed description of the exploit and indicators of compromise, see our Securelist post.

How to stay safe

Start by installing the latest patches from Microsoft, and avoid being hit by future zero-day vulnerabilities by installing robust security solutions that proactively detect and stop exploitation of vulnerabilities on all computers with Internet access. Behavioral Detection Engine and Exploit Prevention technologies, such as those in Kaspersky Endpoint Security for Business, detected CVE-2021-40449.