IronHusky APT Revives MysterySnail RAT to Target Government Organizations in Russia and Mongolia

• China-based actor IronHusky was seen deploying a new version of MysterySnail RAT in a malware campaign.
• The campaign targeting Russia and Mongolia also includes a lightweight, less feature-rich variant of the RAT.
• MysteryMonoSnail retains core capabilities for conducting reconnaissance, managing files, and executing commands remotely. 

A recent security analysis has unearthed a new version of the MysterySnail Remote Access Trojan (RAT), marking its re-emergence in targeted cyberattacks against government entities in Mongolia and Russia. 

Originally uncovered in 2021, MysterySnail RAT was attributed to the IronHusky advanced persistent threat (APT) group, a China-based actor with a history of targeting these regions.

The original MysterySnail RAT gained attention when it exploited the CVE-2021-40449 zero-day vulnerability. Since then, no public activity related to the malware had been observed until Kaspersky researchers detected its resurgence in recent months. 

The new version of the RAT demonstrates continuity in IronHusky’s targeting priorities, maintaining a focus on government organizations in Mongolia and Russia, Kaspersky’s Global Research & Analysis Team (GReAT) said in a recent report.

The new version of MysterySnail RAT is delivered through a disguised malicious Microsoft Management Console (MMC) script. 

This script, masked as a legitimate document from Mongolia’s National Land Agency (ALAMGAC), initiates a series of actions:

• Downloads a ZIP archive containing the second-stage malicious payload alongside a decoy DOCX file.
• Unzips and places the contents in specially crafted directories for execution.
• Establishes persistence on the host by modifying system registry keys.

The MMC script was designed to minimize user suspicion by opening the decoy document for the victim while deploying the malware in the background.

An intermediary backdoor was discovered within the attack chain, leveraging DLL sideloading techniques. The backdoor communicates with its operators via a legitimate open-source tool, the Piping server, utilizing it for command-and-control (C2) communication. 

The intermediary backdoor supports a range of malicious commands, such as running command shells, managing files, and terminating itself.

The latest version of MysterySnail RAT introduces a modular architecture for executing commands. This marks a significant evolution from the 2021 version, which consolidated functions into a single component. 

The modular design leverages five distinct modules, each handling specific tasks such as file management, process execution, and network connections.

While the modular approach offers greater execution flexibility, researchers noted that certain characteristics, such as coding typos, remain consistent with earlier versions, reinforcing the connection to the 2021 variant.

Further analysis unveiled a lightweight variant of the RAT, dubbed MysteryMonoSnail. Unlike its modular predecessor, this version consists of a single component and communicates with its C2 server using WebSocket protocols rather than HTTP.