Heimdal
article featured image

Contents:

Mystic Stealer is an information-stealing malware that first emerged on hacking forums on April 2023. The stealer gets more and more popular among cybercriminals as its features evolve.

Details About Mystic Stealer

The malware is rented for $150/month, or $390/ quarter, as announced on forums like WWH-Club, BHF, and XSS. It currently targets 40 web browsers, 70 browser extensions, 21 applications for cryptocurrencies, 9 MFA and password management programs, 55 browser extensions for cryptocurrencies, Steam and Telegram credentials, and others.

Two individual reports on Mystic Stealer, published almost simultaneously by Zscaler and Cyfirma, warn about the emergence of the new malware, its sophistication, and what appears to be a surge in sales that brings many new campaigns online.

Source

The first version of this malware was quickly replaced by version 1.2, in May 2023. Its creators are very active, keeping a Telegram channel (Mystic Stealer News) for conversations about features of the malware, developments, and other topics. Even more, the authors of this Malware-as-a-Service stealer are open to feedback and suggestions from seasoned hackers.

New Stealer Malware on the Rise: Mystic Stealer

Source

Mystic Stealer Features

All Windows versions, from XP to 11, can be impacted by Mystic Stealer, which supports both 32-bit and 64-bit OS architectures. It has a small footprint on infected devices, operating directly in memory with no dependencies. This makes it harder to detect by antivirus software, and its anti-virtualization checks help the malware detect sandboxed environments.

It is not yet clear who the author is, but the exclusion of Commonwealth of Independent States (CIS) countries (formerly the Soviet Union) could be an indicator of its origins.

Zscaler reports that another restriction set by the creator is to prevent the malware from running builds older than a specified date, possibly to minimize the malware’s exposure to security researchers.

Source

The 1.2 version features functionality that enables threat actors to retrieve more payloads from the C2 server. Furthermore, up to four C2 endpoints are configured for resilience and can be encrypted with a customized XTEA-based algorithm by the operator.

All communication with the C2 is encrypted using a custom binary protocol over TCP, while all stolen data is sent directly to the server without first storing it on the disk. This is an unusual approach for info-stealer malware but helps Mystic evade detection.

Source

Mystic Stealer starts by retaining data about OS and hardware, followed by a screenshot. The C2 server will receive all this information, based on which the cybercriminal decides future commands. The malware will proceed to target data stored in web browsers, applications, etc.

New Stealer Malware on the Rise: Mystic Stealer

Source

Among targeted apps are: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Vivaldi, Brave-Browser, Binance, Exodus, Bitcoin, Litecoin, Electrum, Authy 2FA, Gauth Authenticator, EOS Authenticator, LastPass: Free Password Manager, Trezor Password Manager, RoboForm Password Manager, Dashlane — Password Manager, NordPass Password Manager & Digital Vault, Browserpass and MYKI Password Manager & Authenticator.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE