In late August and early September 2021, Kaspersky engineerings saw onslaughts with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2 016 -3 309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win3 2k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The datum disclosure component of the exploit chain was identified as not bypassing a security bound, and was therefore not fixed. Microsoft allocated CVE-2 021 -4 0449 to the use-after-free vulnerability in the Win3 2k kernel motorist and it was patched on October 12, 2021, as an integrated part of the October Patch Tuesday.
Besides finding the zero-day in the wild, we “ve assessed the” malware payload applied along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/ defense contractors, and diplomatic entities.
We are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity date back to 2012.
Elevation of privilege exploit
The discovered exploit is written to support the following Windows products 😛 TAGEND
Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows 10( construct 14393) Microsoft Windows Server 2016( construct 14393) Microsoft Windows 10( construct 17763) Microsoft Windows Server 2019( develop 17763)
The list of supported products and supported Windows 10 construct numbers, explicit statement of server OSs and the fact that exploits is simply discovered in assaults on servers, all produce us to believe the exploit was developed and advertised as a solution to elevate privileges on servers.
CVE-2 021 -4 0449 is a use-after-free vulnerability in Win3 2k’ s NtGdiResetDC function. As with many other Win3 2k vulnerabilities, the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API roles during execution of those callbacks. The CVE-2 021 -4 0449 is triggered when the part ResetDC is executed a second time for the same handle during execution of its own callback. The exploitation process for this vulnerability is as follows 😛 TAGEND
A user-mode call to ResetDC executes syscall NtGdiResetDC and its inner function GreResetDCInternal. This function gets a pointer to a PDC object, and then performs a call to function hdcOpenDCW. Function hdcOpenDCW performs a user-mode callback and it can be used to execute ResetDC for the same handle a second time. If an exploit executes ResetDC during a callback, NtGdiResetDC and GreResetDCInternal are executed again for the same DC. If an exploit dismisses all the callbacks during the second call to GreResetDCInternal, this function will be executed as intended. It will create a new DC and get rid of the old one( the PDC object is destroyed ). In the callback, after the second ResetDC call has completed, the exploit can reclaim the rid recollection of the PDC object and finish the execution of the callback. After execution of the callback, function hdcOpenDCW returns to GreResetDCInternal, but the pointer retrieved in step( 1) is now a dangle pointer- it points to the memory of the previously destroyed PDC object. In the late stage of GreResetDCInternal execution, a malformed PDC object can be used to perform a call to an arbitrary kernel part with controlled parameters.
In the discovered exploit attackers are able to achieve the desired state of remembrance with the use of GDI palette objects and use a single call to a kernel function to build a primitive for reading and writing kernel remembrance. This stair is easily accomplished, because the exploit process is running with Medium IL and therefore it’s possible to use publicly known techniques to leak kernel address of currently loaded drivers/ kernel modules. In our opinion, it would be preferable if the Medium IL processes had restriction access to such functions as NtQuerySystemInformation or EnumDeviceDrivers.
Our deep dive into the MysterySnail RAT family started with an analysis of a previously unknown remote shell-type Trojan that was intended to be executed by an elevation of privilege exploit. The sample which we analyzed was also uploaded to VT on August 10, 2021. The sample is very big- 8.29 MB. One of the reasons for the file size is that it’s statically compiled with the OpenSSL library and contains unused code and data belonging to that library. But the main reason for its sizing is the existence of two very large roles that do nothing but waste processor clock cycles. These parts also “use” randomly generated strings that are also present in a binary.
Random strings are exploited by anti-analysis functions
We assume these two functions are used as an AV-evasion technique for the purpose of anti-emulation. This theory is supported by the presence of other redundant logics and the presence of a relatively large number of exported roles while the real work is performed by only one of them.
Names of exported roles; the actual business logic is executed from function “GetInfo”
The sample has two hardcoded URLs present in plain text- “www[.]disktest[.]com” and “www[.]runblerx[.]com”. They are put into class variables for intended destination, but remain unused; the real C2 address is deciphered by a single byte xor- “http[.]ddspadus[.]com”.
The malware enumerates the values for the purposes of the” Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ ProxyServer” registry key and uses them to request tunneling through a proxy server in case it would be impossible to connect to the C2 directly.
The malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still somehow stands out, with a relatively large number of implemented commands and extra abilities like monitoring for inserted disk drives and the ability to act as a proxy.
Inbound and outbound commands have the same binary-based format that is provided below. All communication is encrypted with SSL.
Offset Description 0 Size of additional data
4 Session ID
8 Command ID
0xC Additional data
Format of communications commands
Before receiving any commands, the malware collects and sends general information about the victim machine. This information includes 😛 TAGEND
Computer name Current OEM code-page/ default identifier Window product epithet Local IP address Logged-in user epithet Campaign name
One interesting reality is that” Campaign name” by default is set to ” windows “. This epithet get overwritten, but it might indicate there are versions of the same RAT compiled for other platforms.
In total, the RAT implements 20 commands. Their description and command IDs are provided in the table below.
Command ID Description 1F4h Launch interactive cmd.exe shell. Before launch cmd.exe is facsimile to the temp folder with a different epithet
1F5h Spawn new process
1F6h Spawn new process( console)
1F7h Get existing disk drives and their type. Such functions also works in the background, checking for new drives
1FAh Get directory listing
1FBh Kill arbitrary process
1FFh Delete file
205 h Re-connect 208 h Set sleep time( in ms)
209 h Shutdown network and exit
20 Ah Exit 20 Bh Kill interactive shell( created with cmd 1F4h)
20 Ch Terminate file read running( started with cmd 202 h)
217 h No procedure
21 Bh Open proxy’ed connection to provided host. Up to 50 simultaneous linkages are supported.
21 Ch Send data to proxy’ed linkage
21 Eh Close all proxy connects
21 Fh Close requested proxy connect
List of commands supported by the RAT
The analysis of the MysterySnail RAT helped us discover campaigns utilizing other variants of the analyzed malware as well as study and record the code varies made to this tool over a six-month period. We offer more info about these variants and campaigns in our private report.
With the aid of Kaspersky Threat Attribution Engine( KTAE) and the discovery of early variants of MysterySnail RAT we were able to find direct code and functionality overlap with the malware attributed to the IronHusky actor. We were also able to discover the re-use of C2 address used in attacks by the Chinese-speaking APT as far back as 2012. This breakthrough relates IronHusky to some of the older known activities.
Kaspersky products detect the CVE-2 021 -4 0449 exploit and related malware with the verdicts 😛 TAGEND
Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2 021 -4 0449 is the latest addition to the long listing of zero-days discovered in the wild with the help of our technologies. We will continue to improve defenses for our customers by enhancing technologies and working with third-party vendors to patch vulnerabilities, inducing the internet more secure for everyone.
www [.] disktest [.] com www[.]runblerx[.]com http [.] ddspadus [.] com