MLTBackdoor: Deconstructing LLVM-Based Obfuscation and Memory Mapping Techniques

Cybersecurity researchers have identified a sophisticated new backdoor family, designated as MLTBackdoor. This malware is currently being deployed through a multi-stage “ClickFix” infection chain, serving as a robust foothold for ransomware operators to conduct lateral movement and data exfiltration.

The attack lifecycle typically initiates with an automotive-themed social engineering lure. Once a victim is induced to copy, paste, and execute a malicious command string, the system fetches a compressed archive from a domain generated via a Domain Generation Algorithm (DGA). This archive contains two primary artifacts: endpointdlp.dll and an RC4-encrypted payload labeled data.bin. To maintain stealth, the DLL decrypts the payload and utilizes DLL sideloading via a legitimate, digitally signed Microsoft Defender executable to achieve execution.

Advanced Architectural Design and Modularity

MLTBackdoor is engineered for high resilience. While it natively supports standard filesystem operations—such as download, upload, ls, delete, rename, and mkdir—its most potent feature is a built-in Beacon Object File (BOF) loader.

This capability allows the malware to map MS-COFF objects directly into memory. By resolving a specialized set of Beacon-style imports (e.g., BeaconDataParse and BeaconPrintf), applying necessary relocations, and setting appropriate execution permissions, the operator can push sophisticated post-exploitation modules into memory without the need to drop additional, detectable binaries onto the disk.

Evasion Techniques and Anti-Analysis Countermeasures

The authors of MLTBackdoor have implemented significant investments in obfuscation to thwart automated sandboxes and manual reverse engineering. According to Zscaler ThreatLabz, approximately 95% of the compiled logic consists of “obfuscation noise.”

Key evasion mechanisms include:

• LLVM-Based Obfuscation: The use of Mixed Boolean-Arithmetic (MBA) and Control Flow Flattening (CFF) transforms simple logic into dense, non-linear code paths.
• Dynamic String Construction: To bypass static analysis and string-searching tools, the malware avoids storing plaintext or even traditional encrypted strings. Instead, it constructs strings byte-by-byte on the stack at runtime across flattened state machines.
• Indirect System Calls: To circumvent EDR monitoring and API hooking, the implant employs “Hell’s Gate” style techniques, building a runtime syscall table from ntdll.dll exports to jump directly to syscall gadgets.
• API Hashing: Function resolution is performed using the DJB2 hashing algorithm, further masking the malware’s true capabilities from static inspection.

Figure 1: Illustration of CFF obfuscation within the command-handling function (Source: Zscaler).

The malware also performs extensive environmental fingerprinting. It aggregates various checks—including hypervisor detection, timing loops, debugger presence, and low-resource heuristics—into a bitmask, which is then exfiltrated during the initial check-in to inform the operator of the target’s defensive posture.

Command and Control (C2) Infrastructure

MLTBackdoor utilizes a custom encrypted binary protocol encapsulated within TLS over port 443. To blend into legitimate enterprise traffic, it uses a Microsoft-style User-Agent and communicates via a fixed endpoint: /api/v1/telemetry.

Security of the C2 channel is maintained through an ephemeral Elliptic-Curve Diffie-Hellman (P-256) key exchange, which derives an AES-256-GCM session key. Each framed packet is identified by a specific magic byte sequence: 0x014D4C54 (“MLT”). In the event that primary hardcoded domains are blocked, the malware relies on its deterministic, date-based DGA to re-establish connectivity.

Figure 2: MLTBackdoor ECDH key exchange sequence (Source: Zscaler).

Defensive Recommendations

Defenders should prioritize the following detection strategies:

• Monitor for anomalous outbound TLS traffic directed toward /api/v1/telemetry.
• Audit for suspicious process activity involving mpextms.exe or the presence of unauthorized endpointdlp.dll files.
• Implement hunting queries for the specific DGA patterns and domains identified by ThreatLabz on GitHub.

Indicators of Compromise (IOCs)