A newly discovered malicious software known as “Mystic Stealer” has recently surfaced in the cybercrime community. Since April 2023, this information-stealing malware has gained significant attention on hacking forums and darknet markets.
Mystic Stealer is available for rent at a monthly fee and has a wide range of targets to choose from. It is focused on 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 multi-factor authentication (MFA) and password management applications, 55 cryptocurrency browser extensions, as well as credentials associated with platforms like Steam and Telegram.
The emergence of Mystic Stealer has raised concerns within the cybersecurity community, prompting two simultaneous reports from reputable sourcesZscaler and Cyfirma. These reports highlight the sophistication of the malware and underscore the alarming rise in its sales, leading to the proliferation of new cyber campaigns.
Initially introduced as version 1.0 in late April 2023, Mystic Stealer wasted no time in its evolution. Within a short span of time, it swiftly progressed to version 1.2 by the end of May, displaying active and rapid development for the malware project. This frequent version update suggests a dedicated effort by the creators to enhance and refine the capabilities of Mystic Stealer.
Mystic Stealer exhibits an extensive range of capabilities and techniques that enable it to operate stealthily and avoid detection:
Compatibility and Minimal Footprint: Mystic Stealer is designed to target all versions of Windows, from XP to 11, supporting both 32-bit and 64-bit operating system architectures. Notably, it operates without any external dependencies, resulting in a minimal footprint on infected systems. By operating in memory, it evades detection from antivirus products.
Anti-Virtualization Measures: The malware employs various anti-virtualization checks to determine whether it is being executed in a sandboxed or virtualized environment. It inspects CPUID details to identify potential sandboxing, thereby enhancing its evasion techniques.
Geographic Exclusion and Date Restrictions: Interestingly, the author of Mystic Stealer has implemented an exclusion mechanism for Commonwealth of Independent States (CIS) countries, which suggests a potential geographical origin for the malware. Additionally, the malware is programmed to prevent execution on builds older than a specified date, to limit exposure to security researchers and outdated security measures.
Loader Functionality and C2 Communication: Starting from May 20, 2023, Mystic Stealer incorporated loader functionality, enabling it to retrieve additional payloads from the command-and-control (C2) server. To ensure secure communication, all interactions with the C2 server employ encryption via a custom binary protocol over TCP. Notably, Mystic Stealer directly sends stolen data to the server without storing it on the compromised system”s disk, employing an uncommon approach for information-stealing malware.
Resilient C2 Endpoints: The operator of Mystic Stealer can configure up to four C2 endpoints, enhancing the malware”s resiliency. These endpoints are encrypted using a modified XTEA-based algorithm, providing an additional layer of security to the communication between the malware and the C2 server.
Upon initial execution, Mystic Stealer performs several actions to gather information and establish communication with the attacker”s command-and-control (C2) server such as OS and Hardware Information Gathering and Screenshot Capture: The malware takes a screenshot of the victim”s screen, capturing the current display, which is then sent to the C2 server. This action allows the attacker to visually assess the compromised system”s contents.
Once connected to the C2 server, Mystic Stealer receives instructions on which specific data to target. The Zscaler report provides a comprehensive list of applications that Mystic Stealer aims to compromise, which includes popular web browsers, password managers, and cryptocurrency wallet apps. Some notable entries in the list are mentioned below:
LastPass: Free Password Manager
Trezor Password Manager
RoboForm Password Manager
Dashlane Password Manager
NordPass Password Manager & Digital Vault
MYKI Password Manager & Authenticator
While the future trajectory of Mystic Stealer remains uncertain, it is crucial to recognize the heightened risks associated with such illegal Malware-as-a-Service (MaaS) projects. The recent addition of a loader feature in Mystic Stealer indicates the potential for dropping additional payloads, such as ransomware, onto compromised computers.
It is strongly recommended not to install any kind of software from unknown sources because it poses a greater risk of installing malware.
Ensure you download the latest updates and patches including operating system and other software application updates as they provide critical security features. Abstaining from the use of browser extensions and plugins is also recommended.
Do not click or open any attachments in emails or text messages from unknown senders.
Install reputable malware software from a trusted source such as Kaspersky and run scheduled scans to keep your device malware free.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
Toulas, B. (2023, June 18). New Mystic Stealer malware increasingly used in attacks. Bleeping Computer. Retrieved from: https://www.bleepingcomputer.com/news/security/new-mystic-stealer-malware-increasingly-used-in-attacks/
Brooks, R. (2019, June 12). How to Prevent Malware Attacks: 10 Security TIPS. Netwrix. Retrieved from: https://blog.netwrix.com/2020/06/12/malware-prevention/