Threat Signal Report
New Windows Vulnerability Leveraged as a 0-day to Install MysterySnail RAT
FortiGuard Labs is aware of a report that a new Windows 0-day vulnerability (CVE-2021-40449) was used to download and launch MysterySnail Remote Access Trojan (RAT) in late August and early September 2021. According to a blog posted by security vendor Kaspersky, the vulnerability was leveraged by the threat actor IronHusky. In the past, the threat actor reportedly used MysterySnail variants against targeted IT companies, military/defense contractors, and diplomatic entities for cyber espionage. Microsoft released a patch for CVE-2021-40449 on October 12th, 2021, as part of its October 2021 Patch Tuesday.
Why is this Significant?
CVE-2021-40449 was exploited as a 0-day by a threat actor identified by Kaspersky as IronHusky in order to download and launch MysterySnail RAT. According to their blog, the vulnerability was exploited in late August and early September 2021.
What are the Technical Details of the Vulnerability?
The vulnerability (CVE-2021-40449) is a "use-after-free" vulnerability in the Win32k kernel driver which leads to the leakage of kernel module addresses in the compromised computer's memory. Threat actors can then leverage the leak for privilege escalation when using another malicious process. Microsoft rated severity of the vulnerability as important. CVE-2021-40449 is also a patch-bypass for an old Kernel Elevation of Privilege vulnerability in Windows (CVE-2016-3309), which Microsoft patched in August 2016.
Has Microsoft Released an Advisory for CVE-2021-40449?
Yes, Microsoft released an advisory on October 12th, 2021. See the Appendix for a link to "Win32k Elevation of Privilege Vulnerability - CVE-2021-40449".
Which Version(s) of Windows are Vulnerable?
The Microsoft advisory states the following Windows versions are vulnerable:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows 7
- Windows RT 8.1
- Windows 8.1
- Windows 10
- Windows 11
Has Microsoft Released a Patch for CVE-2021-40449?
Yes. Microsoft has released a patch on October 12th, 2021, as part of the October 2021 Patch Tuesday.
Is Proof-of-Concept (PoC) or Exploit Code for CVE-2021-40449 Publicly Available?
At the time of this writing, FortiGuard Labs is not aware of publicly available PoC or exploit code for CVE-2021-40449.
What is MysterySnail?
MysterySnail is a Remote Access Trojan (RAT) used by the threat actor "IronHusky". The RAT connects to its Command and Control (C&C) server and performs actions according to the commands it receives.
Upon infection, MysterySnail collects and sends information back to its C&C server about the compromised machine, such as the computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in username and the (attack) campaign name.
Commands available to MysterySnail include launching and killing the interactive cmd.exe shell, spawning new processes, getting directory lists, listing existing disk drivers and their list, killing processes, deleting files, reading files and terminating file reading operations, opening and closing proxied connections and sending data to the proxied connections.
What is IronHusky?
IronHusky is an APT group that has reportedly targeted IT companies, military/defense contractors, and diplomatic entities for cyber espionage.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against MysterySnail:
All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.
We will update this threat signal with any other feasible updates once they become available.
Win32k Elevation of Privilege Vulnerability - CVE-2021-40449 (Microsoft)
Windows Kernel Elevation of Privilege Vulnerability - CVE-2016-3309 (Microsoft)
MysterySnail attacks with Windows zero-day (Kaspersky)