Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Mystic Stealer is an information-stealing malware that first emerged on hacking forums on April 2023. The stealer gets more and more popular among cybercriminals as its features evolve.
Details About Mystic Stealer
The malware is rented for $150/month, or $390/ quarter, as announced on forums like WWH-Club, BHF, and XSS. It currently targets 40 web browsers, 70 browser extensions, 21 applications for cryptocurrencies, 9 MFA and password management programs, 55 browser extensions for cryptocurrencies, Steam and Telegram credentials, and others.
Two individual reports on Mystic Stealer, published almost simultaneously by Zscaler and Cyfirma, warn about the emergence of the new malware, its sophistication, and what appears to be a surge in sales that brings many new campaigns online.
The first version of this malware was quickly replaced by version 1.2, in May 2023. Its creators are very active, keeping a Telegram channel (Mystic Stealer News) for conversations about features of the malware, developments, and other topics. Even more, the authors of this Malware-as-a-Service stealer are open to feedback and suggestions from seasoned hackers.
Mystic Stealer Features
All Windows versions, from XP to 11, can be impacted by Mystic Stealer, which supports both 32-bit and 64-bit OS architectures. It has a small footprint on infected devices, operating directly in memory with no dependencies. This makes it harder to detect by antivirus software, and its anti-virtualization checks help the malware detect sandboxed environments.
It is not yet clear who the author is, but the exclusion of Commonwealth of Independent States (CIS) countries (formerly the Soviet Union) could be an indicator of its origins.
Zscaler reports that another restriction set by the creator is to prevent the malware from running builds older than a specified date, possibly to minimize the malware’s exposure to security researchers.
The 1.2 version features functionality that enables threat actors to retrieve more payloads from the C2 server. Furthermore, up to four C2 endpoints are configured for resilience and can be encrypted with a customized XTEA-based algorithm by the operator.
All communication with the C2 is encrypted using a custom binary protocol over TCP, while all stolen data is sent directly to the server without first storing it on the disk. This is an unusual approach for info-stealer malware but helps Mystic evade detection.
Mystic Stealer starts by retaining data about OS and hardware, followed by a screenshot. The C2 server will receive all this information, based on which the cybercriminal decides future commands. The malware will proceed to target data stored in web browsers, applications, etc.
Among targeted apps are: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Vivaldi, Brave-Browser, Binance, Exodus, Bitcoin, Litecoin, Electrum, Authy 2FA, Gauth Authenticator, EOS Authenticator, LastPass: Free Password Manager, Trezor Password Manager, RoboForm Password Manager, Dashlane — Password Manager, NordPass Password Manager & Digital Vault, Browserpass and MYKI Password Manager & Authenticator.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
