Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker

MITRE Techniques

• [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – Used when MpExtMs.exe loaded the malicious EndpointDlp.dll through sideloading (‘MpExtMs.exe… was used to sideload malicious DLLs’).
• [T1055 ] Process Injection – The backdoor executes payloads in memory without writing files to disk, consistent with in-memory execution (‘runs payloads in memory with no file written to disk’).
• [T1105 ] Ingress Tool Transfer – Attackers used tools like curl and PowerShell to download payloads and components (‘download payloads’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell was used to run commands, download payloads, traverse networks, and execute attacker-supplied commands (‘run commands, download payloads’).
• [T1083 ] File and Directory Discovery – The operators enumerated files and staged data while using Windows tooling for host assessment (‘gathering host and service inventories’).
• [T1087.002 ] Account Discovery: Domain Account – The attackers enumerated domain users and groups with net.exe (‘enumerating domain users, groups, computers and sessions’).
• [T1018 ] Remote System Discovery – They used Windows tools to enumerate computers and sessions across the environment (‘computers and sessions’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – The campaign used Windows administrative tools and remote execution capabilities to move through compromised networks (‘execute commands on remote computers’).
• [T1135 ] Network Share Discovery – The operators gathered network resource information using net.exe (‘manage network resources’).
• [T1112 ] Modify Registry – Persistence and configuration changes were made through Run-key entries and registry edits (‘using names such as AnyDesk, Splashtop and Comms’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence included scheduled tasks (‘scheduled tasks’).
• [T1204.002 ] User Execution: Malicious File – Victims were tricked into pasting and running attacker-supplied commands via ClickFix, FileFix, and Teams lures (‘paste-and-run’).
• [T1566.001 ] Phishing: Spearphishing Attachment – Social-engineering lures and Microsoft Teams pretexts were used to deliver commands (‘helpdesk and IT-support pretexts delivered through external Microsoft Teams chats’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Data was staged and exfiltrated over HTTP (‘exfiltrated over HTTP using curl.exe’).
• [T1106 ] Native API – The loader hooked GetModuleFileNameW and LoadLibraryW to control execution flow (‘hooks GetModuleFileNameW and LoadLibraryW’).
• [T1027 ] Obfuscated Files or Information – The group used obfuscation, layered encryption, and domain-generation algorithms (‘more heavily obfuscated variant’).
• [T1218 ] System Binary Proxy Execution – Legitimate signed binaries such as pythonw.exe, node.exe, and certutil were abused to run attacker code (‘abused as the carrier and runtime’).
• [T1068 ] Exploitation for Privilege Escalation – A file associated with likely privilege escalation was present (‘Likely privilege escalation – n.dll’).