Cybersecurity researchers recently disclosed a stealthy new backdoor called MystRodX, which comes with a variety of features to capture sensitive data from compromised systems.
QiAnXin XLab explained in a report published last week, “MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management.” They emphasized that, “Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility.”
Meanwhile, Palo Alto Networks Unit 42 first documented MystRodX, also known as ChronosRAT, last month. The researchers connected it to a threat activity cluster called CL-STA-0969 and noted that it exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda.
The malware achieves stealth by using multiple levels of encryption to obscure both its source code and payloads. At the same time, its flexibility allows it to dynamically activate different functions based on a configuration. For example, it can choose between TCP or HTTP for network communication, or switch between plaintext and AES encryption to secure traffic.
In addition, MystRodX supports a wake-up mode that enables it to act as a passive backdoor. Attackers can trigger this mode by sending specially crafted DNS or ICMP network packets hidden within incoming traffic. Based on an activation timestamp in the configuration, researchers believe the malware has circulated since at least January 2024.
XLab researchers explained, “Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands.” They further compared it to other threats: “Unlike well-known stealth backdoors like SYNful Knock, which manipulates TCP header fields to hide commands, MystRodX uses a simpler yet effective approach: it hides activation instructions directly in the payload of ICMP packets or within DNS query domains.”
Attackers deliver MystRodX using a dropper that runs multiple debugger– and virtual machine-related checks to confirm the environment. Once the validation completes, the dropper decrypts the next-stage payload, which contains three components:
- daytime, a launcher that starts chargen
- chargen, the MystRodX backdoor component
- busybox
After execution, MystRodX continuously monitors the daytime process. If the process stops running, the malware immediately relaunches it. Its configuration, encrypted with the AES algorithm, stores critical information such as the C2 server, backdoor type, and primary and backup C2 ports.
XLab highlighted the backdoor’s dual nature: “When the Backdoor Type is set to 1, MystRodX enters passive backdoor mode and waits for an activation message. When the value of Backdoor Type is not 1, MystRodX enters active backdoor mode and establishes communication with the C2 specified in the configuration, waiting to execute the received commands.”
Source: TheHackerNews
Read more at Impreza News