Chinese group APT IronHusky exploits zero-day Windows Server privilege escalation
One of the vulnerabilities Microsoft corrected on Tuesday has been exploited by a Chinese cyber espionage group since at least August. The attack campaigns targeted IT companies, defense contractors and diplomatic entities.
According to Kaspersky Lab researchers, the malware deployed with the exploit and its command and control infrastructure indicates a connection with a Chinese APT group known as IronHusky which has been operating since 2017, but also with other APT activities. based in China. go back to 2012.
Privilege Escalation Vulnerability in Windows GDI Driver
The group has been observed exploiting a previously unknown vulnerability in Win32k.sys, a system driver that is part of the Windows Graphical Device Interface (GDI), which has been a common source of vulnerabilities in the past. The default, followed as CVE-2021-40449, affects all supported and unsupported versions of Windows, and allows code to run with system privileges.
Since this is a privilege escalation vulnerability, it is only used to gain complete control over targeted systems, but is not the original entry method. The exploit used in the attacks borrows code from a public exploit for another Wink32k vulnerability patched in 2016 (CVE-2016-3309). Although the exploit was written to support all versions of Windows since Vista, Kaspersky researchers have only seen it used on Windows servers.
“In the discovered exploit, attackers are able to achieve the desired memory state using GDI palette objects and use a single call to a kernel function to create a read primitive and d ‘writing from kernel memory, “said the researchers in their report. “This step is easily accomplished, as the operating process runs with Medium IL and therefore it is possible to use publicly known techniques to disclose the kernel addresses of currently loaded kernel drivers / modules. In our opinion , it would be better if the Medium IT processes had limited access to functions such as NtQuerySystemInformation or EnumDeviceDrivers. “
Mystery Snail RAT
Hackers used the elevation of privilege exploit to deploy a Remote Shell Trojan (RAT) that Kaspersky dubbed MysterySnail. Attackers can use this malicious program to execute Windows shell commands, collect information about disks and folders, delete, read and download files, kill processes, etc.
A sample of the malware was first uploaded to the VirusTotal database on August 10 and is notable for its unusually large size of 8.29MB. Indeed, the malware bundles a stand-alone version of the OpenSSL library, which it uses for encrypted communications, and two very large functions that only waste CPU clock cycles and are probably meant to evade emulation and virus detection.
Another interesting feature is that the malware attempts to tunnel its communications through a proxy server if the direct connection to the command and control server is blocked. It does this by listing the values under the “Software Microsoft Windows CurrentVersion Internet Settings ProxyServer” registry key.
“The analysis of the MysterySnail RAT helped us discover campaigns using other variants of the analyzed malware as well as study and document code changes made to this tool over a six-month period,” the researchers said. “With the help of Kaspersky Threat Attribution Engine (KTAE) and the discovery of the first variants of MysterySnail RAT, we were able to find a direct overlap of code and functionality with malware attributed to actor IronHusky.”
IronHusky has been leading cyber espionage campaigns since 2017 and its previous selection of targets suggested a geopolitical agenda. For example, the group targeted Mongolian government entities, which are not a common target, ahead of a meeting with the International Monetary Fund in 2018. Prior to that, the group was seen targeting Russian military contractors. At the time, it was using standard Trojans like PlugX and PoisonIvy which were typical of APT activity in Chinese.
Copyright © 2021 IDG Communications, Inc.