Chinese hackers have attacking using a zero-day elevation-of-privilege exploit. An APT group exploited a zero-day vulnerability in the Windows Win32k kernel driver to develop a new RAT trojan. This exploit had many debug strings from an older, officially known exploit for the CVE-2016-3309 vulnerability. The malware, dubbed MysterySnail.

The privilege escalation exploit used to develop the MysterySnail RAT targets Windows client and server versions, from Windows 7 and Windows Server 2008 to the latest versions, including Windows 11 and Windows Server 2022.

The root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during the execution of those callbacks. The bug was triggered when the function ResetDC is executed a second time for the same handle during the execution of its own callback, said researchers.

The uncovered code similarity and the reuse of the C&C infrastructure led researchers to connect these attacks to the IronHusky cyber espionage group. In 2017, Researches discovered that Chinese hackers began exploiting the CVE-2017-11882 vulnerability, a memory corruption vulnerability in Microsoft Office, to spread RATs commonly used by Chinese groups, including PlugX and PoisonIvy.

The malware collects and steals system information from compromised computers before contacting the command-and-control server for further commands through cyber espionage campaign. The RAT can execute various commands on infected machines, such as running new processes, interrupting processes, and more.

A relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.The vulnerability identified as CVE-2021-40449 was fixed by Microsoft as part of this month’s Patch Tuesday.