Cybersecurity researchers have revealed a new stealthy backdoor called MyStrodx. It comes with a variety of features to capture sensitive data from compromised systems.
“MyStrodx is a typical backdoor implemented in C++ and supports features like file management, port forwarding, reverse shell, socket management, and more,” Qianxin XLAB said in a report published last week. “Compared to a typical backdoor, MyStrodx stands out in terms of stealth and flexibility.”
MyStrodx, also known as Chronosrat, was first recorded last month by Palo Alto Networks Unit 42 in connection with a threat activity cluster called Cl-STA-0969.
Malware stealth comes from obscuring the source code and payload using different levels of encryption, but its flexibility allows you to dynamically enable different features based on your configuration, such as choosing TCP or HTTP for network communication, or Pleantext or AES encryption to protect network traffic.
MyStrodx also supports what is called wake-up mode, which can act as a passive backdoor that can be triggered after receipt of specially created DNS or ICMP network packets from incoming traffic. There is evidence to suggest that malware may have been present since at least January 2024, based on the activation timestamp set in the configuration.
“The value of magic has been verified and MyStrodx establishes communication with C2 [command-and-control] XLAB researchers said, “We use more commands using the specified protocol.
Malware is delivered by droppers using debuggers and virtual machine-related checks to determine whether the current process is being debugged or running within a virtualized environment. Once the verification step is complete, the next stage payload is decrypted. Contains 3 components –
During the day, launchers responsible for launching Chargen Chargen, MyStrodx backdoor components and Busybox
When run, MyStrodx continuously monitors daytime processes and launches immediately if they are not found to be running. The configuration encrypted using the AES algorithm includes information about the C2 server, backdoor type, main and backup C2 ports.
“When the backdoor type is set to 1, MyStrodx enters passive backdoor mode and waits for the activation message,” Xlab said. “If the value of the backdoor type is not 1, MyStrodx is in active backdoor mode, establishing communication with the C2 specified in the configuration, and waiting for the command to be executed.”
Source link
