Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs

A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups, according to security researchers.

This backdoor, also tracked as MLTBackdoor, was first documented by Zscaler earlier this month, with the security shop suggesting the novel malware is “likely used in ransomware attacks to establish a foothold for lateral movement.”

In a Wednesday threat brief, Symantec and Carbon Black threat hunters say the backdoor has been used to access multiple organizations' networks over the past few months, including those in insurance, education, IT, and professional services. 

Additionally, the security sleuths reported, “Mistic may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat) and it was used in one intrusion that also involved the group's ModeloRAT remote access trojan.”

KongTuke and other IABs don’t deliver the final payload – such as ransomware – to compromised companies. Rather, they break into company systems, and then sell that foothold to other criminals, like ransomware gangs.

Symantec and Carbon Black arrived at their low-confidence attribution after at least one case where Mistic was deployed in close proximity to ModeloRAT, the Python-based remote access trojan KongTuke also developed. 

KongTuke has previously been linked to attacks from various ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

“Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment,” Symantec and Carbon Black noted.

Plus, Zscaler reported Mistic being delivered in a multi-stage ClickFix infection chain, which is another pointer to KongTuke, as the group is known to use that initial access technique.

In one case that Symantec and Carbon Black responded to, Mistic was side-loaded through a legitimate file, MpExtMs.exe, and then loaded from a DLL named EndpointDlp.dll, which likely helped the backdoor blend in with legitimate software.

Mistic has all the usual backdoor functionality: It can upload, download, move, rename, and delete files. It can also create new folders, and check for additional commands from the attacker-controlled command-and-control (C2) server. 

But here’s the stealthy part: it can run remote payloads from C2 directly in memory – so it doesn’t write malicious files to the hard drive – which helps it dodge file-based detection in antivirus and endpoint detection products.

When the mission is accomplished, it then terminates and deletes itself. 

“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers,” the threat hunters wrote. ®