“While conducting threat hunting activities, it’s crucial to consider that old malware families, which have not been reported on for years, may continue their activities under the radar,” warn researchers. The case of MysterySnail demonstrates how threat actors can maintain operational persistence by making minimal modifications to existing malware, allowing them to remain undetected for extended periods. Its malicious DLL loads a payload encrypted with RC4 and XOR from a file named attach.dat, and employs reflective loading through DLL hollowing using the run_pe library. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Attributed to the Chinese-speaking threat actor known as IronHusky, which has operated since at least 2017, this malware has apparently remained active but undetected for years. In an unusual anti-analysis technique, the backdoor stores Windows API function information in an external file (log\MYFC.log), which is encrypted with single-byte XOR and loaded at runtime. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. Researchers also discovered a lightweight variant dubbed “MysteryMonoSnail” that communicates via WebSocket protocol instead of HTTP and offers reduced functionality with just 13 basic commands. The attack begins with a malicious MMC script disguised as a document from Mongolia’s National Land Agency (ALAMGAC). “It turned out that the implant has been actively used in cyberattacks all these years although not reported,” Kaspersky said. First, it retrieves a ZIP archive containing a second-stage payload and a legitimate DOCX file from file[.]io storage. A legitimate executable (CiscoCollabHost.exe) is launched, which loads a malicious library (CiscoSparkLauncher.dll) through DLL sideloading.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 15:05:09 +0000