{ "id": "d9d2341a-ad9d-4df5-8909-94c9fb3f23b3", "created_at": "2026-04-06T00:07:17.684183Z", "updated_at": "2026-04-10T03:29:45.572123Z", "deleted_at": null, "sha1_hash": "d66232ac78fac8c800e27f3ee9491679cd614cca", "title": "MysterySnail attacks with Windows zero-day", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89472, "plain_text": "MysterySnail attacks with Windows zero-day\r\nBy Boris Larin\r\nPublished: 2021-10-12 · Archived: 2026-04-02 12:13:15 UTC\r\nExecutive Summary\r\nIn late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of\r\nprivilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older,\r\npublicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We\r\ndiscovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies\r\nheavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to\r\nMicrosoft. The information disclosure portion of the exploit chain was identified as not bypassing a security\r\nboundary, and was therefore not fixed. Microsoft assigned CVE-2021-40449 to the use-after-free vulnerability in\r\nthe Win32k kernel driver and it was patched on October 12, 2021, as a part of the October Patch Tuesday.\r\nBesides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit,\r\nand found that variants of the malware were detected in widespread espionage campaigns against IT companies,\r\nmilitary/defense contractors, and diplomatic entities.\r\nWe are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered\r\nallowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating\r\nback to 2012.\r\nElevation of privilege exploit\r\nThe discovered exploit is written to support the following Windows products:\r\nMicrosoft Windows Vista\r\nMicrosoft Windows 7\r\nMicrosoft Windows 8\r\nMicrosoft Windows 8.1\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows Server 2008 R2\r\nMicrosoft Windows Server 2012\r\nMicrosoft Windows Server 2012 R2\r\nMicrosoft Windows 10 (build 14393)\r\nMicrosoft Windows Server 2016 (build 14393)\r\nMicrosoft Windows 10 (build 17763)\r\nMicrosoft Windows Server 2019 (build 17763)\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 1 of 6\n\nThe list of supported products and supported Windows 10 build numbers, explicit declaration of server OSs and\r\nthe fact that exploits were only discovered in attacks on servers, all lead us to believe the exploit was developed\r\nand advertised as a solution to elevate privileges on servers.\r\nCVE-2021-40449 is a use-after-free vulnerability in Win32k’s NtGdiResetDC function. As with many other\r\nWin32k vulnerabilities, the root cause of this vulnerability lies in the ability to set user-mode callbacks and\r\nexecute unexpected API functions during execution of those callbacks. The CVE-2021-40449 is triggered when\r\nthe function ResetDC is executed a second time for the same handle during execution of its own callback. The\r\nexploitation process for this vulnerability is as follows:\r\n1. 1 A user-mode call to ResetDC executes syscall NtGdiResetDC and its inner function GreResetDCInternal.\r\nThis function gets a pointer to a PDC object, and then performs a call to function hdcOpenDCW.\r\n2. 2 Function hdcOpenDCW performs a user-mode callback and it can be used to execute ResetDC for the\r\nsame handle a second time.\r\n3. 3 If an exploit executes ResetDC during a callback, NtGdiResetDC and GreResetDCInternal are executed\r\nagain for the same DC.\r\n4. 4 If an exploit ignores all the callbacks during the second call to GreResetDCInternal, this function will be\r\nexecuted as intended. It will create a new DC and get rid of the old one (the PDC object is destroyed).\r\n5. 5 In the callback, after the second ResetDC call has completed, the exploit can reclaim the freed memory\r\nof the PDC object and finish the execution of the callback.\r\n6. 6 After execution of the callback, function hdcOpenDCW returns to GreResetDCInternal, but the pointer\r\nretrieved in step (1) is now a dangling pointer – it points to the memory of the previously destroyed PDC\r\nobject.\r\n7. 7 In the late stage of GreResetDCInternal execution, a malformed PDC object can be used to perform a call\r\nto an arbitrary kernel function with controlled parameters.\r\nIn the discovered exploit attackers are able to achieve the desired state of memory with the use of GDI palette\r\nobjects and use a single call to a kernel function to build a primitive for reading and writing kernel memory. This\r\nstep is easily accomplished, because the exploit process is running with Medium IL and therefore it’s possible to\r\nuse publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules. In our opinion,\r\nit would be preferable if the Medium IL processes had limited access to such functions as\r\nNtQuerySystemInformation or EnumDeviceDrivers.\r\nMysterySnail RAT\r\nOur deep dive into the MysterySnail RAT family started with an analysis of a previously unknown remote shell-type Trojan that was intended to be executed by an elevation of privilege exploit. The sample which we analyzed\r\nwas also uploaded to VT on August 10, 2021. The sample is very big – 8.29MB. One of the reasons for the file\r\nsize is that it’s statically compiled with the OpenSSL library and contains unused code and data belonging to that\r\nlibrary. But the main reason for its size is the presence of two very large functions that do nothing but waste\r\nprocessor clock cycles. These functions also “use” randomly generated strings that are also present in a binary.\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 2 of 6\n\nRandom strings used by anti-analysis functions\r\nWe assume these two functions are used as an AV-evasion technique for the purpose of anti-emulation. This theory\r\nis supported by the presence of other redundant logics and the presence of a relatively large number of exported\r\nfunctions while the real work is performed by only one of them.\r\nNames of exported functions; the actual business logic is executed from function “GetInfo”\r\nThe sample has two hardcoded URLs present in plain text – “www[.]disktest[.]com” and\r\n“www[.]runblerx[.]com”. They are put into class variables for intended use, but remain unused; the real C2\r\naddress is decoded by a single byte xor – “http[.]ddspadus[.]com”.\r\nThe malware enumerates the values under the “Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ProxyServer” registry key and uses them to request tunneling through a proxy server in case it fails to\r\nconnect to the C2 directly.\r\nThe malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still\r\nsomehow stands out, with a relatively large number of implemented commands and extra capabilities like\r\nmonitoring for inserted disk drives and the ability to act as a proxy.\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 3 of 6\n\nInbound and outbound commands have the same binary-based format that is provided below. All communication\r\nis encrypted with SSL.\r\nOffset Description\r\n0 Size of additional data\r\n4 Session ID\r\n8 Command ID\r\n0xC Additional data\r\nFormat of communication commands\r\nBefore receiving any commands, the malware gathers and sends general information about the victim machine.\r\nThis information includes:\r\nComputer name\r\nCurrent OEM code-page/default identifier\r\nWindows product name\r\nLocal IP address\r\nLogged-in user name\r\nCampaign name\r\nOne interesting fact is that “Campaign name” by default is set to “windows”. This name gets overwritten, but it\r\nmight indicate there are versions of the same RAT compiled for other platforms.\r\nIn total, the RAT implements 20 commands. Their description and command IDs are provided in the table below.\r\nCommand\r\nID\r\nDescription\r\n1F4h\r\nLaunch interactive cmd.exe shell. Before launch cmd.exe is copied to the temp folder with a\r\ndifferent name\r\n1F5h Spawn new process\r\n1F6h Spawn new process (console)\r\n1F7h\r\nGet existing disk drives and their type. This function also works in the background, checking\r\nfor new drives\r\n1F8h Create (upload) new file. If a file exists, append data to it\r\n1FAh Get directory list\r\n1FBh Kill arbitrary process\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 4 of 6\n\n1FFh Delete file\r\n202h Read file. If the file is too big, async read operation can be stopped with cmd 20Ch.\r\n205h Re-connect\r\n208h Set sleep time (in ms)\r\n209h Shutdown network and exit\r\n20Ah Exit\r\n20Bh Kill interactive shell (created with cmd 1F4h)\r\n20Ch Terminate file reading operation (started with cmd 202h)\r\n217h No operation\r\n21Bh\r\nOpen proxy’ed connection to provided host. Up to 50 simultaneous connections are\r\nsupported.\r\n21Ch Send data to proxy’ed connection\r\n21Eh Close all proxy connections\r\n21Fh Close requested proxy connection\r\nList of commands supported by the RAT\r\nThe analysis of the MysterySnail RAT helped us discover campaigns using other variants of the analyzed malware\r\nas well as study and document the code changes made to this tool over a six-month period. We provide more info\r\nabout these variants and campaigns in our private report.\r\nWith the help of Kaspersky Threat Attribution Engine (KTAE) and the discovery of early variants of MysterySnail\r\nRAT we were able to find direct code and functionality overlap with the malware attributed to the IronHusky\r\nactor. We were also able to discover the re-use of C2 addresses used in attacks by the Chinese-speaking APT as far\r\nback as 2012. This discovery links IronHusky to some of the older known activities.\r\nKaspersky products detect the CVE-2021-40449 exploit and related malware with the verdicts:\r\nPDM:Exploit.Win32.Generic\r\nPDM:Trojan.Win32.Generic\r\nTrojan.Win64.Agent*\r\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit\r\nPrevention component. CVE-2021-40449 is the latest addition to the long list of zero-days discovered in the wild\r\nwith the help of our technologies. We will continue to improve defenses for our users by enhancing technologies\r\nand working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 5 of 6\n\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky\r\nIntelligence Reporting service. Contact: intelreports@kaspersky.com.\r\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\r\nIoCs\r\nwww[.]disktest[.]com\r\nwww[.]runblerx[.]com\r\nhttp[.]ddspadus[.]com\r\nMD5 e2f2d2832da0facbd716d6ad298073ca\r\nSHA1 ecdec44d3ce31532d9831b139ea04bf48cde9090\r\nSHA256 b7fb3623e31fb36fc3d3a4d99829e42910cad4da4fa7429a2d99a838e004366e\r\nSource: https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nhttps://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" ], "report_names": [ "104509" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d66232ac78fac8c800e27f3ee9491679cd614cca.pdf", "text": "https://archive.orkl.eu/d66232ac78fac8c800e27f3ee9491679cd614cca.txt", "img": "https://archive.orkl.eu/d66232ac78fac8c800e27f3ee9491679cd614cca.jpg" } }