HQ/EMEAFind out how we can help your business
The newly discovered MisterioLNK loader could enable threat actors to avoid security solutions while loading their primary payloads. Based on reports, researchers have uncovered this new loader builder and obfuscation tool that has largely gone undetected by security tools.
In a public blog post earlier this week, the researchers explained that the new loader builder is on GitHub, which could pose a significant risk to various researchers and security providers as it is publicly available. The risk starts with files generated by this tool that currently exhibit minimal or zero detection rates by conventional security systems.
In addition, this open-source loader builder utilises Windows script engines to run malicious payloads while employing obfuscation. Its author crafted it to operate discreetly, downloading files into temporary directories before launching them. This development allowed it to provide its operators with evasive capabilities and make detection by traditional security measures difficult.
As of now, MisterioLNK supports five loader methods: HTA, BAT, CMD, VBS, and LNK. Additionally, it supports various obfuscation methods for VBS, CMD, and BAT, and its authors plan to add support for HTA obfuscation. However, the project is currently in beta status, and the developer disclaims any responsibility for illegal activities conducted using this software.
Hackers have allegedly started to deploy malware by employing MisterioLNK.
The threat actors have already found the MisterioLNK loader builder, but security tools are still struggling to identify it. Investigations revealed that threat actors have already started using the new tool to generate obfuscated files for deploying malware like Remcos RAT, DC, and BlankStealer RATs.
This new tool elevated the trojans’ obfuscation capabilities, as they are already regularly evading detection. Experts urge users and companies to be knowledgeable and updated about this new tool as it shows capabilities that can significantly improve an attack process from threat actors.
Security vendors are currently detecting the builder’s obfuscated VBS loaders and LNK to some extent, but the detection rates for BAT, CMD, HTA, and VBS loader files remain inadequate. Since this is a work in progress, interested parties should be informed of any updates to steer clear of or stop unwanted problems before they start.
