MystRodX backdoor uses DNS and ICMP triggers for covert manipulation

Cybersecurity researchers have recently unveiled a sophisticated backdoor known as MystRodX, which is designed to capture sensitive data from compromised systems. Implemented in C++, MystRodX boasts features such as file management, port forwarding, reverse shell, and socket management. According to QiAnXin XLab, this backdoor distinguishes itself from typical variants through its exceptional stealth and flexibility. Also referred to as ChronosRAT, MystRodX was first identified by Palo Alto Networks Unit 42 in connection with a threat activity cluster named CL-STA-0969, which is believed to have links to a China-nexus cyber espionage group known as Liminal Panda.

The stealth capabilities of MystRodX are attributed to its use of multiple encryption levels to obscure both source code and payloads. Its flexibility allows for dynamic function enablement based on configuration settings, including the choice between TCP or HTTP for network communication and the option for plaintext or AES encryption to secure traffic. Notably, MystRodX features a wake-up mode, allowing it to act as a passive backdoor that can be activated by specially crafted DNS or ICMP packets. Evidence suggests that this malware may have been operational since at least January 2024. The malware is delivered via a dropper that conducts checks to determine if it is being debugged or run in a virtual environment. Once validated, the payload is decrypted and executed, continuously monitoring its components to ensure functionality.