MysterySnail Gets a Boost: Kaspersky Warns of Modified Remote Access Attacks on Organisations in Russia and Mongolia
Kaspersky warns of a revamped MysterySnail Remote Access Trojan targeting organisations in Russia and Mongolia, highlighting the risks of underestimating older malware strains.
Kaspersky GReAT has detected a new wave of attacks with MysterySnail, a Remote Access Trojan, on organisations in Mongolia and Russia. In 2021 Kaspersky discovered the actor behind the original MysterySnail RAT was IronHusky, a Chinese-speaking threat actor. In recent years the attack sequence and the malware itself was modified and targeted new victims, with the same group likely behind it.
One of the recent infections Kaspersky detected was delivered through a malicious script for Microsoft Management Console (MMC, a component of Windows OS that provides system administrators and users with an interface for configuring and monitoring the system). This script is disguised as an MS Word document from the National Land Agency of Mongolia (ALAMGAC).
After a user opens the file and inadvertently runs the script, other malicious files are downloaded and run, including a malicious library named CiscoSparkLauncher.dll, which is a backdoor that then downloads and runs the MysterySnail RAT malware. It then communicates with attacker-created servers via the HTTP protocol.
The new MysterySnail RAT is able to run about 40 commands, and their implementation is different compared to the older MysterySnail RAT discovered in 2021. It can read, write and delete files, manage operating system processes and connect to network resources.
Notably, a short time after Kaspersky blocked the recent intrusions related to the new MysterySnail RAT, there were continued attacks with a more lightweight version of the malware. It consists of a single component which Kaspersky dubbed MysteryMonoSnail. It communicates with the attackers’ servers using the WebSocket protocol instead of HTTP and has only 13 basic commands as opposed to 40.
“Seemingly old malware families, even those dormant or unreported for years, can remain active and resurface unexpectedly, posing significant risks. Retiring security tool signatures designed to detect historical malware simply because of their age is a dangerous oversight that could leave systems vulnerable. At Kaspersky, we proactively address this by providing customers of our Threat Intelligence portal with comprehensive sets of Indicators of Compromise covering both legacy and emerging malware, ensuring robust defense against evolving threats,” comments Georgy Kucherin, Security Researcher with Kaspersky GReAT. “In the future, cybercriminals may leverage these older, overlooked malware strains, blending them with modern techniques to exploit gaps in outdated defenses. To stay ahead, organisations must integrate continuous threat intelligence into their security strategies, combining historical data with real-time insights to anticipate and neutralise threats before they strike.”
To help organisations protect against attacks, Kaspersky recommends the following measures:
- Deploy multi-layered security solutions with real-time threat detection capabilities. Kaspersky Next XDR Expert aggregates and correlates data from multiple sources using machine-learning technologies for effective threat detection and automated response to sophisticated attacks.
- Conduct regular cybersecurity awareness training for employees, with a special focus on recognising sophisticated spear-phishing attempts.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
- Back up the corporate data regularly.
