MisterioLNK: The Open-Source Builder Behind Malicious Loaders
Summary:
A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems. MisterioLNK, a Windows script engine-based loader builder, employs obfuscation techniques that allow for minimal detection rates. It operates discreetly by downloading files in temporary directories and then launching them. The tool supports five loader methods (HTA, BAT, CMD, VBS, and LNK) and three obfuscation methods (for VBS, CMD, and BAT), with plans to add more. Additionally, it allows for the customization of LNK file icons. Misterio downloader is a .NET-based tool that is comprised of two components: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. These generated files are designed to connect to the URL, download the payload, and execute it. While still in beta development, MisterioLNK has already been utilized by threat actors to distribute malware, including Remcos RAT, DC RAT, and BlankStealer. CRIL's analysis revealed that many of the loader files generated by MisterioLNK currently remain undetected by most security vendors.
Security Officer Comments:
The emergence of MisterioLNK highlights the ongoing evolution of threat actor defense evasion tactics and the ineffectiveness of current security tools against them. The builder’s open-source nature and focus on evasion make it a powerful weapon even in the hands of inexperienced threat actors. The ability of the downloader to generate obfuscated files for various malware families underscores the need for organizations to adopt advanced threat detection and response capabilities. Security vendors should invest in research and development to improve detection rates for such sophisticated threats. Organizations should prioritize proactive security measures including regular vulnerability assessments to mitigate the risks associated with emerging threats like MisterioLNK. This research comes as a recent campaign delivers Remcos RAT to victims by encouraging them to click an email phishing link that directs them to a legitimate tax organization’s GitHub URL which then delivers the Remcos RAT malware being hosted in the trusted repository’s comments. Another recent development involving open-source malware on GitHub is a phishing campaign that impersonates Royal Mail and delivers open-source Prince Ransomware.
Suggested Corrections:
MITRE ATT&CK TTPS and relevant IOCs are published here.
Recommendations from Cyble Research and Intelligence Labs (CRIL)
https://cyble.com/blog/misteriolnk-the-open-source-builder-behind-malicious-loaders/
https://github.com/K3rnel-Dev/MisterioLNK/tree/main
A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems. MisterioLNK, a Windows script engine-based loader builder, employs obfuscation techniques that allow for minimal detection rates. It operates discreetly by downloading files in temporary directories and then launching them. The tool supports five loader methods (HTA, BAT, CMD, VBS, and LNK) and three obfuscation methods (for VBS, CMD, and BAT), with plans to add more. Additionally, it allows for the customization of LNK file icons. Misterio downloader is a .NET-based tool that is comprised of two components: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. These generated files are designed to connect to the URL, download the payload, and execute it. While still in beta development, MisterioLNK has already been utilized by threat actors to distribute malware, including Remcos RAT, DC RAT, and BlankStealer. CRIL's analysis revealed that many of the loader files generated by MisterioLNK currently remain undetected by most security vendors.
Security Officer Comments:
The emergence of MisterioLNK highlights the ongoing evolution of threat actor defense evasion tactics and the ineffectiveness of current security tools against them. The builder’s open-source nature and focus on evasion make it a powerful weapon even in the hands of inexperienced threat actors. The ability of the downloader to generate obfuscated files for various malware families underscores the need for organizations to adopt advanced threat detection and response capabilities. Security vendors should invest in research and development to improve detection rates for such sophisticated threats. Organizations should prioritize proactive security measures including regular vulnerability assessments to mitigate the risks associated with emerging threats like MisterioLNK. This research comes as a recent campaign delivers Remcos RAT to victims by encouraging them to click an email phishing link that directs them to a legitimate tax organization’s GitHub URL which then delivers the Remcos RAT malware being hosted in the trusted repository’s comments. Another recent development involving open-source malware on GitHub is a phishing campaign that impersonates Royal Mail and delivers open-source Prince Ransomware.
Suggested Corrections:
MITRE ATT&CK TTPS and relevant IOCs are published here.
Recommendations from Cyble Research and Intelligence Labs (CRIL)
- Implement security solutions that can recognize and detect the specific obfuscation patterns and script formats generated by MisterioLNK Builder.
- Use software restriction policies or application whitelisting to limit the execution of unauthorized scripts and reduce the attack surface for loaders like MisterioLNK.
- Focus on behavioral detection strategies to identify suspicious activities, like the use of scripting engines to download and execute files, regardless of obfuscation.
- Educate users about the risks associated with executing files from unknown or untrusted sources, emphasizing the dangers of seemingly benign shortcut files (.lnk).
https://cyble.com/blog/misteriolnk-the-open-source-builder-behind-malicious-loaders/
https://github.com/K3rnel-Dev/MisterioLNK/tree/main