"The malware's stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network communication, or opting for plaintext or AES encryption to secure network traffic."
"MystRodX also supports what's called a wake-up mode, thereby enabling it to function as a passive backdoor that can be triggered following the receipt of specially crafted DNS or ICMP network packets from incoming traffic. There is evidence to suggest that the malware may have been around since at least January 2024, based on an activation timestamp set in the configuration."
""Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands," XLab researchers said. "Unlike well-known stealth backdoors like SYNful Knock, which manipulates TCP header fields to hide commands, MystRodX uses a simpler yet effective approach: it hides activation instructions directly in the payload of ICMP packets or within DNS query domains.""
MystRodX is a C++ backdoor offering file management, port forwarding, reverse shell, and socket management. The malware employs multiple encryption layers to obscure source code and payloads and can dynamically enable functions from configuration options, including TCP or HTTP transport and plaintext or AES network encryption. A wake-up mode allows passive triggering via specially crafted DNS or ICMP packets. Activation timestamps in configurations indicate possible operation since January 2024. MystRodX, also called ChronosRAT, exhibits overlaps with a China-nexus cyber espionage cluster linked to Liminal Panda. The backdoor verifies a magic value, connects to C2, and awaits commands.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]