Threat Signal Report

New Windows Vulnerability Leveraged as a 0-day to Install MysterySnail RAT

Description

FortiGuard Labs is aware of a report that a new Windows 0-day vulnerability (CVE-2021-40449) was used to download and launch MysterySnail Remote Access Trojan (RAT) in late August and early September 2021. According to a blog posted by security vendor Kaspersky, the vulnerability was leveraged by the threat actor IronHusky. In the past, the threat actor reportedly used MysterySnail variants against targeted IT companies, military/defense contractors, and diplomatic entities for cyber espionage. Microsoft released a patch for CVE-2021-40449 on October 12th, 2021, as part of its October 2021 Patch Tuesday.


Why is this Significant?

CVE-2021-40449 was exploited as a 0-day by a threat actor identified by Kaspersky as IronHusky in order to download and launch MysterySnail RAT. According to their blog, the vulnerability was exploited in late August and early September 2021.


What are the Technical Details of the Vulnerability?

The vulnerability (CVE-2021-40449) is a "use-after-free" vulnerability in the Win32k kernel driver which leads to the leakage of kernel module addresses in the compromised computer's memory. Threat actors can then leverage the leak for privilege escalation when using another malicious process. Microsoft rated severity of the vulnerability as important. CVE-2021-40449 is also a patch-bypass for an old Kernel Elevation of Privilege vulnerability in Windows (CVE-2016-3309), which Microsoft patched in August 2016.


Has Microsoft Released an Advisory for CVE-2021-40449?

Yes, Microsoft released an advisory on October 12th, 2021. See the Appendix for a link to "Win32k Elevation of Privilege Vulnerability - CVE-2021-40449".


Which Version(s) of Windows are Vulnerable?

The Microsoft advisory states the following Windows versions are vulnerable:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows 7
  • Windows RT 8.1
  • Windows 8.1
  • Windows 10
  • Windows 11


Has Microsoft Released a Patch for CVE-2021-40449?

Yes. Microsoft has released a patch on October 12th, 2021, as part of the October 2021 Patch Tuesday.


Is Proof-of-Concept (PoC) or Exploit Code for CVE-2021-40449 Publicly Available?

At the time of this writing, FortiGuard Labs is not aware of publicly available PoC or exploit code for CVE-2021-40449.


What is MysterySnail?

MysterySnail is a Remote Access Trojan (RAT) used by the threat actor "IronHusky". The RAT connects to its Command and Control (C&C) server and performs actions according to the commands it receives.


Upon infection, MysterySnail collects and sends information back to its C&C server about the compromised machine, such as the computer name, current OEM code-page/default identifier, Windows product name, local IP address, logged-in username and the (attack) campaign name.


Commands available to MysterySnail include launching and killing the interactive cmd.exe shell, spawning new processes, getting directory lists, listing existing disk drivers and their list, killing processes, deleting files, reading files and terminating file reading operations, opening and closing proxied connections and sending data to the proxied connections.


What is IronHusky?

IronHusky is an APT group that has reportedly targeted IT companies, military/defense contractors, and diplomatic entities for cyber espionage.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against MysterySnail:

  • W64/MysterySnail.A!tr


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


We will update this threat signal with any other feasible updates once they become available.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.