“Mystery Snail” Exploit used to Hijack Windows Server Deployments

Experts have helped debunk a strange new remote access trojan (RAT) that used a zero-day flaw in a crucial Windows driver to launch a privilege escalation attack.

The exploit was discovered and reported by Kaspersky in the October 2021 Patch Tuesday edition.

“The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but a closer analysis revealed that it was a zero-day.

We discovered that it was using a previously unknown vulnerability in the Win32k driver…,” observed the researchers.

The trojan’s code and use of the command and control (C2) infrastructure link the assault to IronHusky, according to researchers. The malware is known as MysterySnail by Kaspersky since it was discovered by Kapersky.

Exploit that is based on a previously unknown flaw.

The exploit was found to be written for both the most recent Windows 10 and Windows Server 2019 releases, as well as previous, even supported versions all the way back to Windows Vista.

The malware’s harmful payload showed resemblance with numerous variants utilized in large espionage operations against IT firms, military/defense contractors, and diplomatic organizations.

“With OS and application vulnerabilities arising almost daily, it’s clear that attackers are hard at work in discovering new exploits. Monitoring for unusual activity is one of the only ways of making sure that such breaches are caught and addressed quickly,” says Saryu Nayyar, CEO of security vendor Gurucul.

Furthermore, YouAttest, a proficiency assessment company, believes that comprehensive and regular identity evaluations will also aid in the defanging of privilege escalations.

“Enterprises must practice identity security and have alerts on privilege escalation and conduct regular reviews of identities to ensure the principle of least privilege is practiced across the enterprise – to insure once a credential is compromised, the proper alerts occur and the damage in minimized,” believes Garret Grajek, CEO, YouAttest.