Full Report
Spotted in intrusions targeting insurance, education, IT, and professional services sectors
Analysis Summary
# Tool/Technique: Mistic Backdoor (aka MLTBackdoor)
## Overview
Mistic is a sophisticated, self-destructing backdoor used by initial access brokers (IABs) to establish persistent footholds within corporate networks. It is designed for stealth, utilizing DLL side-loading and in-memory execution to evade traditional security products before deleting itself to minimize forensic footprints.
## Technical Details
- **Type:** Malware Family (Backdoor/Trojan)
- **Platform:** Windows
- **Capabilities:** File manipulation, C2 communication, in-memory payload execution, self-deletion.
- **First Seen:** April 2024 (Reported June 2024)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (ClickFix infection chains)
- **TA0005 - Defense Evasion**
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1027.004 - Obfuscated Files or Information: Compile After Delivery (In-memory execution)
- T1070.004 - Indicator Removal: File Deletion (Self-destruct mechanism)
- **TA0008 - Lateral Movement**
- T1210 - Exploitation of Remote Services (Facilitated by backdoor access)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
## Functionality
### Core Capabilities
- **File Management:** Ability to upload, download, move, rename, and delete files on the host system.
- **Directory Control:** Capability to create and modify folders.
- **Command Execution:** Periodically checks an attacker-controlled C2 server for new instructions.
### Advanced Features
- **In-Memory Execution:** Executes remote payloads directly in the system's memory without writing them to the disk, bypassing many signature-based AV/EDR solutions.
- **DLL Side-Loading:** Leverages legitimate executables (e.g., `MpExtMs.exe`) to load the malicious DLL (`EndpointDlp.dll`), masquerading as legitimate software processes.
- **Self-Destruct Kill Switch:** Upon completion of its task or a specific command, the malware terminates its process and deletes its own files from the system to hinder incident response and forensic analysis.
## Indicators of Compromise
- **File Names:**
- `MpExtMs.exe` (Legitimate executable used for side-loading)
- `EndpointDlp.dll` (The malicious backdoor component)
- **Network Indicators:**
- [hxxp]://attacker-c2-domain[.]tld (C2 communication)
- **Behavioral Indicators:**
- Unexpected network activity originating from legitimate-looking processes like `MpExtMs.exe`.
- Presence of `EndpointDlp.dll` in directories where it is not typically installed.
- Process self-termination followed by immediate file deletion of the binary.
## Associated Threat Actors
- **KongTuke (aka Woodgnat):** An initial access broker (IAB) known for selling corporate access to major ransomware-as-a-service (RaaS) groups.
- **Ransomware Affiliates:** Historically linked via KongTuke to groups including **Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta**.
## Detection Methods
- **Behavioral Detection:** Monitor for "living off the land" techniques where legitimate binaries load unsigned or unexpected DLLs from non-standard paths.
- **Memory Scanning:** Use EDR tools to scan for unbacked executable memory regions or anomalous payloads running in the address space of legitimate processes.
- **ClickFix Monitoring:** Identify and block traffic to compromised sites (often WordPress) using ClickFix-style social engineering overlays.
## Mitigation Strategies
- **Endpoint Hardening:** Implement Windows Defender Application Control (WDAC) or AppLocker to prevent unauthorized DLLs from loading.
- **Directory Permissions:** Restrict write permissions in folders where legitimate system executables reside to prevent side-loading.
- **Security Awareness:** Educate users on "ClickFix" lures, which often present fake browser update notifications or "fix" prompts.
## Related Tools/Techniques
- **ModeloRAT:** A Python-based remote access trojan often deployed alongside Mistic by the KongTuke group.
- **ClickFix:** The delivery mechanism (social engineering/fake updates) commonly used to initiate the infection chain.
- **DLL Side-loading:** The primary execution technique used to maintain a low profile.