FlagThis - #ironhusky

Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.


References :

• Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
• The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
• BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
• Know Your Adversary: 108. Hunting for Node.js Abuse
• bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
• www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
• poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
• threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
• hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
• securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
• securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
• Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
• securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
• securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
• www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
• securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.

Classification:

• HashTags: #APT #China #CyberEspionage
• Company: Kaspersky
• Target: Russia, Mongolia
• Attacker: IronHusky
• Feature: RAT
• Malware: MysterySnail
• Type: Malware
• Severity: Major