MysterySnail RAT

The MysterySnail RAT is a threat that according to the findings made by infosec researchers, is connected to the Chinese APT (Advanced Persistent Threat) group IronHusky. The threat is described as a remote shell-type Trojan and is unusually big at 8.29MB. There are several reasons for the abnormal size. First, the MysterySnail RAT is compiled statically with the OpenSSL Library and has unused code from that library. Second, it contains two large functions that have no practical purpose besides wasting processor clock cycles.

The likely reason for the inclusion of the large chunks of superfluous code is to boost the threat's anti-detection and anti-emulation capabilities. This conclusion is also supported by the inclusion of various redundant logics, as well as multiple exported functions while only one performs the actual tasks.

MysterySnail RAT's Details

As a whole, the MysterySnail RAT is not among the most sophisticated threats of this type. However, it compensates with an expanded list of functionalities (the threat can recognize a total of 20 different commands) such as detecting any inserted disk drives or being able to act as a proxy. Upon receiving the appropriate command from its Command-and-Control (C&C, C2) server, the threat is capable of manipulating the file system of the compromised system by creating, reading, uploading or deleting the chosen files. The MysterySnail RAT also can start or terminate processes. In addition, it can open a Command Prompt window allowing the attackers to execute arbitrary commands.

One of the first actions performed by MysterySnail RAT is to gather data about the breached system. The malware harvests details, such as the computer name, Windows product name, IP address, user name and more. All collected information is then uploaded to the C2 server. As for the address of the server, the analyzed threat samples had two hardcoded URLs stored in plain text that acted as decoys. The real URL is decoded by a single byte xor that delivers the 'http[.]ddspadus[.]com' address.


Most Viewed