Full Report
Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware. [...]
Analysis Summary
# Threat Actor: IronHusky (Chinese Hackers)
## Attribution & Identity
* **Attribution:** Chinese APT group.
* **Known Aliases and Associated Groups:** None explicitly named other than the primary actor designation, though associated with the deployment of common Chinese hacking group RATs (PoisonIvy, PlugX).
* **Tool Association:** Linked to the deployment of MysterySnail RAT and its variant, MysteryMonoSnail.
## Activity Summary
* **Recent Activity:** Targeting Russian government entities using an upgraded version of the MysterySnail RAT, dubbed **MysteryMonoSnail**. This upgraded version is described as a repurposed and more lightweight version consisting of a single component.
* **Historical Activities:**
* First spotted by Kaspersky in 2017 targeting Russian and Mongolian government entities to collect intelligence on military negotiations.
* In late August 2021, deployed the original MysterySnail RAT in widespread espionage attacks against IT companies, military/defense contractors, and diplomatic entities in Russia and Mongolia, using a zero-day exploit against a Windows kernel driver.
* In 2018, observed exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882) to spread RATs commonly used by Chinese groups.
## Tactics, Techniques & Procedures
* **Malware Persistence:** MysterySnail RAT was configured to persist on compromised machines as a service.
* **Command Execution:** The upgraded MysteryMonoSnail RAT supports dozens of commands, including managing services, executing shell commands, spawning/killing processes, and file management.
* **Exploitation:**
* Used zero-day exploits targeting a Windows Win32k kernel driver vulnerability ([CVE-2021-40449]).
* Exploited a Microsoft Office memory corruption vulnerability ([CVE-2017-11882]).
## Targeting
* **Sectors:** Government entities, IT companies, military/defense contractors, and diplomatic entities.
* **Geography:** Russia and Mongolia.
* **Victims:** Russian government entities (current target); IT firms, defense contractors, and diplomatic entities (past targets).
## Tools & Infrastructure
* **Malware Families Used:**
* MysterySnail RAT (original implant).
* MysteryMonoSnail (upgraded, lightweight variant).
* PoisonIvy (historically observed deployment).
* PlugX (historically observed deployment).
* **Infrastructure (C2, domains, IPs - defang URLs):** No specific C2 domains or IPs were provided in the summary context.
## Implications
IronHusky continues to evolve its espionage toolkit, evidenced by the deployment of the lightweight MysteryMonoSnail, suggesting adaptability and a sustained focus on high-value geopolitical targets, particularly within Russia and neighboring regions. The continued reliance on kernel exploits and RAT technology indicates a high level of sophistication aimed at persistent, deep access.
## Mitigations
* Apply security updates immediately for known vulnerabilities, particularly those affecting Windows kernel drivers (e.g., patches for CVE-2021-40449) and Microsoft Office (e.g., CVE-2017-11882).
* Implement strong endpoint detection and response (EDR) capabilities capable of detecting service creation and malicious process behavior indicative of RAT persistence.
* Monitor for the use of known Chinese espionage malware families such as MysterySnail, PoisonIvy, and PlugX.