A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a previously unknown remote access trojan (RAT).
The malware, known as
MysterySnail, was found by Kaspersky security researchers on multiple Microsoft Servers between late August and early September 2021.
They also found an elevation of privilege exploit targeting the Win32k driver security flaw tracked as
CVE-2021-40449 and patched by Microsoft today, as part of this month's Patch Tuesday.
"Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities," Kaspersky researchers Boris Larin and Costin Raiu
said.
"Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012."