Researchers at Kaspersky have identified the resurgence of MysterySnail RAT, a Remote Access Trojan (RAT) previously associated with the Chinese cyber espionage group IronHusky APT. After remaining dormant for years, the malware is now targeting government entities in Mongolia and Russia. This renewed activity highlights the evolving tactics of cybercriminals and their persistent focus on specific geopolitical targets.
MysterySnail RAT was originally discovered in 2021 during Kaspersky’s investigation into the CVE-2021-40449 zero-day vulnerability. At that time, it was linked to the IronHusky group, known for its operations since at least 2017. Following its initial identification, details about MysterySnail RAT were scarce. However, recent findings indicate that a new variant is actively targeting government sectors in Mongolia and Russia. This aligns with earlier intelligence on IronHusky’s strategic focus on these nations, reinforcing the notion that the RAT has been operating clandestinely for several years.
The latest iteration of MysterySnail RAT initiates its attack with a malicious MMC script masquerading as a document from Mongolia’s National Land Agency. This script downloads a ZIP file that includes both a secondary malicious payload and a benign document intended to mislead the victim. Upon extraction, the legitimate CiscoCollabHost.exe file is executed to maintain operational cover, while the malicious DLL, identified as CiscoSparkLauncher.dll, enables a new backdoor mechanism for command and control (C2) communications.
This new version of MysterySnail RAT is capable of executing approximately 40 distinct commands, allowing cybercriminals to manage files, execute system commands through the cmd.exe process, control services, and establish connections to network resources. Unlike its 2021 predecessor, the updated RAT utilizes additional DLL modules for executing commands, which enhances its evasion capabilities compared to the earlier version that relied on a single malicious component.
Additionally, the recent version is designed to maintain persistence on infected systems by setting itself up as a service. The malicious DLL employs encryption techniques, such as RC4 and XOR, for its payload, which is then executed in memory via a technique known as DLL hollowing, demonstrating advanced evasion strategies that could complicate detection efforts.
In response to emerging threats, the attackers subsequently deployed a streamlined version named MysteryMonoSnail. This variant, while simpler and utilizing a single component, retains communication with the same C2 infrastructure as the original RAT but shifts to the WebSocket protocol from the standard HTTP. It has a reduced set of functionalities, enabling basic operations like directory listing and process launching.
The resurgence of MysterySnail RAT serves as a critical reminder that malware can evolve and resurface, necessitating ongoing vigilance and adaptation among cybersecurity professionals. Staying informed about the tactics and techniques outlined in the MITRE ATT&CK Matrix, including initial access, persistence, and data exfiltration, is essential for businesses aiming to mitigate risks associated with cyber threats. As the landscape of cyberattacks continues to change, preparedness and awareness will be key to safeguarding sensitive information and maintaining operational integrity against established and emerging threats.
