Weaponizing DNS and ICMP for Data Theft

A sophisticated backdoor, MystRodX, that exploits DNS and ICMP protocols to stealthily activate and exfiltrate data from compromised systems.

Deployed via a dropper disguised as a Mirai variant, MystRodX remained undetected for over 20 months by hiding its activation logic within network packet payloads.

Security researchers have uncovered a MystRodX supports both active and passive modes. In passive mode, it binds to no open ports, instead monitoring all incoming traffic on a raw socket.

Activation requires a specially crafted DNS query or ICMP packet containing an encrypted payload. Once decrypted using MystRodX’s custom “transform algorithm,” the payload yields four fields—Magic, Protocol, Port, and C2 IP—and triggers a connection to the attacker’s command server.

Attackers craft DNS queries in the form www.DomainName.com, where the DomainNam segment is a Base64-encoded, multi-layer XOR–encrypted string.

After decoding and transformation, the plaintext activation packet reveals its Magic value (“CAT”), instructs the backdoor to use TCP on port 8010, and points it to C2 server 149.28.137.254.

This technique allows MystRodX to lie dormant until the precise moment of activation, bypassing firewall rules and intrusion detection systems.

In parallel, attackers can use ICMP echo requests to wake MystRodX. The ICMP payload begins with a standard ping header followed by the custom-encrypted activation data specifying an HTTP-based check-in to C2 IP 192.168.96.1 on port 443.

A valid DNS trigger packet must follow the format:www.DomainName.com.

Upon receipt, MystRodX decrypts and initiates an HTTP-formatted handshake, confirming its presence to the remote server.

Stealth and Flexibility

MystRodX excels in evasion through a differentiated encryption strategy. VM- and debugger-related strings are protected by single-byte XOR, while payloads, AES keys, and triggers undergo the transform algorithm.

Configuration data is encrypted via AES-CBC, and network traffic can optionally be AES-encrypted. Flexible features, including TCP or HTTP communication and plaintext or encrypted traffic, are toggled dynamically via configuration offset flags.

MystRodX enables traffic encryption only if the decrypted MagicString matches the hardcoded “0x68abut.

XLab researchers probed networks worldwide by sending activation packets, but only their test environments responded.

This suggests wild samples may employ unique magic values, keys, or passive mode settings that evade generic probes.

However, active C2 probing identified three live command servers—149.28.137.254, 156.244.6.68, and 185.22.153.228—all issuing Command 7 to enable traffic encryption.

Only 149.28.137.254’s command decrypted with known public keys tied to the “neybquno” campaign, while the others point to unknown campaigns, indicating additional undetected samples remain in the wild.

The value of key2 is computed using a checksum-like algorithm on the xorkey, which in this case is 0x90.

Despite incremental improvements—detection rates rose from 4/65 to 6/65—most antivirus engines still mislabel MystRodX as Mirai.

Patching experiments that removed or replaced VM/debugger strings lowered detection rates further, illustrating that signature-based scanners focus on superficial patterns rather than core backdoor behavior.

MystRodX’s dropper uses a dual-stage XOR transform to decrypt its payload components—chargen, busybo, and the daytime launcher.

A checksum verification ensures integrity before deploying the backdoor. The launcher then continuously monitors the backdoor process, restarting it if terminated, forming a dual-process guardian mechanism that assures persistent operation.

Network Protocol and Commands

Once activated, MystRodX communicates using a custom protocol: a 4-byte packet length followed by MainCode, SubCode, direction flags, and data.

MainCode 1 handles management tasks—beacon, device info upload, configuration updates—while codes 2, 5, 7, and 8 enable reverse shell, file management, port forwarding, and SOCKS proxy, respectively. Encrypted traffic adds a padded header and ciphertext for further obfuscation

Organizations should monitor unusual DNS queries and ICMP traffic containing anomalous payload lengths or unexpected Base64 strings. Network intrusion detection systems can be tuned to flag packets deviating from standard formats.

Given MystRodX’s adaptability and low profile, threat hunters must collaborate to share IOCs and develop behavior-based detection that transcends simple signature matching.xlab.qianxi

As MystRodX continues to evolve, defenders must update detection strategies and leverage C2 hunting insights to unmask the stealthy backdoor before it jeopardizes critical systems and data.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.