Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems.
“MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management,” QiAnXin XLab said in a report published last week. “Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility.”
MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda.
The malware’s stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network communication, or opting for plaintext or AES encryption to secure network traffic.
MystRodX also supports what’s called a wake-up mode, thereby enabling it to function as a passive backdoor that can be triggered following the receipt of specially crafted DNS or ICMP network packets from incoming traffic. There is evidence to suggest that the malware may have been around since at least January 2024, based on an activation timestamp set in the configuration.
“Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands,” XLab researchers said. “Unlike well-known stealth backdoors like SYNful Knock, which manipulates TCP header fields to hide commands, MystRodX uses a simpler yet effective approach: it hides activation instructions directly in the payload of ICMP packets or within DNS query domains.”
The malware is delivered by means of a dropper that makes use of a spate of debugger- and virtual machine-related checks to determine if the current process is being debugged or it’s being run within a virtualized environment. Once the validation step is complete, the next-stage payload is decrypted. It contains three components –
- daytime, a launcher responsible for launching chargen
- chargen, the MystRodX backdoor component, and
- BusyBox, a legitimate Unix utility software suite (removed in subsequent iterations)
MystRodX, once executed, continuously monitors the daytime process, and if it is not found to be running, immediately launches it. Its configuration, which is encrypted using the AES algorithm, contains information pertaining to the C2 server, backdoor type, and main and backup C2 ports.
“When the Backdoor Type is set to 1, MystRodX enters passive backdoor mode and waits for an activation message,” XLab said. “When the value of Backdoor Type is not 1, MystRodX enters active backdoor mode and establishes communication with the C2 specified in the configuration, waiting to execute the received commands.”
