Prepare to be alarmed as the cybersecurity world grapples with the emergence of a formidable threat named Mystic Stealer. This insidious malware, recently discovered by researchers, possesses a nefarious capability that sends shivers down the spines of web users worldwide. With the ability to pilfer sensitive information from a staggering array of approximately 40 web browsers, along with over 70 web browser extensions, Mystic Stealer stands as a potent force in the realm of online security breaches. In this blog post, we delve into the intricate workings of this ominous malware, shedding light on the grave risks it poses to your digital privacy and urging vigilance in the face of this ever-evolving menace.

Mystic Stealer was initially advertised on April 25, 2023, with a monthly price of $150. In addition to targeting web browsers, the malware also focuses on stealing data from cryptocurrency wallets, Steam, and Telegram. To evade detection and analysis, Mystic Stealer employs various sophisticated techniques.

According to the researchers’ analysis published recently, the malware’s code is heavily obfuscated. It utilizes techniques such as polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants. These mechanisms make it challenging to understand and analyze the code.

Similar to other crimeware solutions available for sale, Mystic Stealer is implemented in the C programming language. The control panel accompanying the malware has been developed using Python.

 

Background:

After its initial release of version 1.0 in late April 2023, Mystic Stealer rapidly progressed to version 1.2 by the end of May. This swift development and the consecutive version updates indicate an active and ongoing effort to enhance and refine the project. The frequent updates suggest that the creators of Mystic Stealer are actively engaged in its development, potentially adding new features or addressing any vulnerabilities or shortcomings in the earlier versions.

 

The seller of the malware, Mystic Stealer, utilized various hacking forums, such as WWH-Club, BHF, and XSS, to advertise and promote their product. Interested individuals were offered the option to rent the malware through a competitive subscription pricing model. The pricing details included a monthly subscription fee of $150 or a quarterly subscription fee of $390. This pricing strategy aimed to attract potential customers by offering flexibility and affordability for those interested in utilizing the malware for their malicious activities.

In addition to its presence on hacking forums, the Mystic Stealer project maintains a Telegram channel called “Mystic Stealer News.” This channel serves as a platform for discussing development updates, feature requests, and other pertinent topics related to the malware.

According to reports, the creator of Mystic Stealer actively seeks feedback from experienced members of the underground hacking community and openly encourages them to share suggestions for enhancing the malware. This collaborative approach allows for continuous improvement and refinement based on input from individuals well-versed in the field.

Despite its early stage of development, Mystic Stealer has been confirmed to be a potent information-stealing tool by experts in the cybersecurity space. This recognition highlights the concerning capabilities of the malware and emphasizes the need for robust security measures to protect against such threats.

 

Mystic stealer Malware Execution:

According to security researchers, users typically encounter the Mystic Stealer malware when downloading illegal content, such as movies with filenames like “Cocaine Bear.vbs,” or video games, from deceptive websites. These websites employ tricks to deceive victims into executing a malicious VBScript on their PCs, triggering the infection process.

Once executed, the VBScript proceeds to initiate PowerShell code, which is capable of terminating all active Chrome windows. It then launches a new session of Chrome, loading an unpacked rogue extension using the “–load-extension” command line argument. This allows the malware to operate within the browser environment and carry out its malicious activities.

Additionally, alongside Mystic Stealer, a newly discovered modular malware trojan called Pikabot has been identified. Pikabot has the capability to execute arbitrary commands and inject payloads that are provided by a command-and-control (C2) server. This modular nature of the trojan enables it to receive instructions and potentially utilize tools like Cobalt Strike for further exploitation and malicious activities.

 

Mystic Stealer Capabilities:

Mystic Stealer is designed to target all versions of Windows, ranging from XP to 11, supporting both 32-bit and 64-bit operating system architectures.

One notable characteristic of Mystic Stealer is its minimal footprint on infected systems since it does not require any external dependencies. This approach allows the malware to operate primarily in memory, reducing the likelihood of detection by antivirus products.

To further evade detection, Mystic Stealer incorporates several anti-virtualization checks. For instance, it inspects CPUID details to ensure that it is not being executed within sandboxed environments commonly used for security analysis and research.

An interesting observation made in the threat reports is that the author of Mystic Stealer has added an exclusion for Commonwealth of Independent States (CIS) countries, which could potentially indicate the origin of the malware.

To limit exposure to security researchers, the creator of Mystic Stealer has implemented a restriction preventing the malware from running on builds older than a specified date. This measure is likely aimed at minimizing analysis and increasing the malware’s lifespan.

Starting from May 20, 2023, an additional loader functionality was added to Mystic Stealer. This enables the malware to fetch additional payloads from its command-and-control (C2) server.

Communication between Mystic Stealer and its C2 server is encrypted using a custom binary protocol over TCP. Notably, all stolen data is sent directly to the server without being stored on the infected system’s disk, which is an unconventional approach for an information-stealing malware. This methodology helps the malware avoid detection and potential data recovery attempts.

For resiliency purposes, the operator of Mystic Stealer can configure up to four C2 endpoints. These endpoints are encrypted using a modified XTEA-based algorithm, ensuring the security and integrity of the communication channel.

 

Malware execution Impact:

Upon initial execution, Mystic Stealer collects information about the operating system and hardware of the infected system. It also takes a screenshot, capturing the current display, and sends this gathered data to the attacker’s command-and-control (C2) server.

Based on the instructions received from the C2 server, Mystic Stealer can target specific data stored in web browsers, applications, and other sources on the compromised system.

 

Affected applications:

The threat report provides a comprehensive list of applications that Mystic Stealer targets. This list includes popular web browsers, password managers, and cryptocurrency wallet apps. Some notable entries in the list are:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Opera
• Vivaldi
• Brave Browser
• Binance (cryptocurrency exchange)
• Exodus (cryptocurrency wallet)
• Bitcoin (cryptocurrency wallet)
• Litecoin (cryptocurrency wallet)
• Electrum (cryptocurrency wallet)
• Authy 2FA (two-factor authentication app)
• Gauth Authenticator (two-factor authentication app)
• EOS Authenticator (EOS blockchain platform authenticator)
• LastPass: Free Password Manager
• Trezor Password Manager (cryptocurrency wallet)
• RoboForm Password Manager
• Dashlane — Password Manager
• NordPass Password Manager & Digital Vault
• Browserpass (browser extension for password management)
• MYKI Password Manager & Authenticator

These are just a few examples of the applications targeted by Mystic Stealer, as mentioned in the report. The malware aims to steal sensitive information stored within these applications, potentially compromising user credentials, financial data, and other valuable information.

 

Remediation:

1. Exercise caution while downloading files: Be cautious when downloading files from the internet, especially from unknown or suspicious sources. Stick to trusted websites and official app stores for downloads, and avoid downloading pirated or illegally obtained content.
2. Enable firewall protection: Activate the built-in firewall on your device to provide an additional layer of security. Firewalls monitor and control incoming and outgoing network traffic, helping to block unauthorized access.
3. Be wary of email attachments and links: Avoid opening email attachments or clicking on links in emails from unknown or suspicious senders. Be cautious even with emails that appear to be from known sources, as they could be spoofed or phishing attempts.
4. Exercise safe browsing habits: Be mindful of the websites you visit and only browse reputable and secure websites. Avoid clicking on suspicious ads or pop-ups. Consider using browser extensions that block malicious content.
5. Use strong and unique passwords: Create strong, complex passwords for your accounts and avoid using the same password across multiple platforms. Consider using a password manager to securely store and generate passwords.
6. Enable two-factor authentication (2FA): Enable 2FA whenever possible for your online accounts. This adds an extra layer of security by requiring a second verification step, typically through a code sent to your mobile device, when logging in.