Threat Research

IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia

SecureList
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia

The MysterySnail RAT, linked to the IronHusky APT threat actor, has resurfaced after years of inactivity. Initially discovered in 2021, recent reports show its deployment in government organizations in Mongolia and Russia, alongside a new variant called MysteryMonoSnail that has a more simplified architecture. The article emphasizes the importance of monitoring and detecting historical malware threats, as they may still be active despite the lack of public reports. Affected: Mongolia, Russia, Government Organizations

Keypoints :

  • Discovery of MysterySnail RAT back in 2021 linked to IronHusky APT.
  • Recent infections of MysterySnail RAT were observed in Mongolia and Russia.
  • Malware is delivered through a malicious MMC script disguised as a document.
  • Key functionalities include command execution, file management, and persistence on the victim’s machine.
  • A lightweight version called MysteryMonoSnail has been identified, using WebSocket for C2 communications.
  • The persistence and modular architecture of the malware remain similar over the years.
  • Old malware families can resurface and require ongoing detection efforts.
  • Kaspersky provides IoCs for both historical and emerging malware threats.

MITRE Techniques :

  • T1203 – Exploit Public-Facing Application: Infection via malicious MMC script posing as a document.
  • T1059.001 – Command and Scripting Interpreter: The backdoor can execute commands through the command shell.
  • T1071.001 – Application Layer Protocol: C2 communication using HTTP/WebSocket protocols.
  • T1049 – System Network Connections Discovery: Enumerating network resource capabilities.
  • T1056.001 – Input Capture: The malware can create remote shells to capture user input.
  • T1547.001 – Boot or Logon Autostart Execution: Establishing persistence via Run registry key.

Indicator of Compromise :

  • [File] malicious MMC script disguised as a document
  • [C2 Domain] watch-smcsvc[.]com
  • [C2 Domain] leotolstoys[.]com
  • [File] CiscoSparkLauncher.dll
  • [File] attach.dat

Full Story: https://securelist.com/mysterysnail-new-version/116226/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint