MystRodX Backdoor Hides in DNS and ICMP, Giving Hackers Evasive Access
A sophisticated new backdoor dubbed MystRodX is making waves in the cybersecurity community. Researchers have uncovered its ability to remain hidden by leveraging DNS and ICMP protocols, allowing attackers to discreetly infiltrate systems and exfiltrate sensitive information.
Cybersecurity researchers have uncovered a sneaky new backdoor called MystRodX. It's packed with features designed to steal sensitive data from infected systems.
According to QiAnXin XLab, "MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management." But they say it really stands out due to its stealth and flexibility.
You might have heard of MystRodX under another name: ChronosRAT. Palo Alto Networks Unit 42 first spotted it last month, linking it to a threat group called CL-STA-0969. They believe this group has connections to Liminal Panda, a Chinese cyber espionage outfit.
What Makes MystRodX So Tricky?
The key to MystRodX's stealth is encryption. It uses multiple layers to hide its source code and payloads. Plus, it's super flexible. It can dynamically change its functions based on its configuration. Think choosing between TCP or HTTP for communication, or using plaintext or AES encryption for network traffic.
It even has a "wake-up" mode, acting as a passive backdoor. It sits quietly until it receives specific DNS or ICMP network packets. Evidence suggests this malware might have been lurking since at least January 2024.
"Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands," XLab researchers noted. Unlike some stealthy backdoors, like SYNful Knock, MystRodX hides activation instructions directly in ICMP packet payloads or DNS query domains. Simple, but effective.
How Does It Get In?
MystRodX arrives via a dropper. This dropper checks for debuggers and virtual machines to see if it's being analyzed. If it passes these checks, it decrypts the next stage, which includes three key parts:
daytime: A launcher that startschargen.chargen: The actual MystRodX backdoor.busybox
Once running, MystRodX constantly monitors the daytime process. If it's not running, MystRodX restarts it. Its configuration, encrypted with AES, contains vital information: C2 server details, the backdoor type, and the main and backup C2 ports.
XLab explains: "When the Backdoor Type is set to 1, MystRodX enters passive backdoor mode and waits for an activation message. When the value of Backdoor Type is not 1, MystRodX enters active backdoor mode and establishes communication with the C2 specified in the configuration, waiting to execute the received commands." In short, it's either waiting for a signal or actively reaching out to its controllers.
