Cyfirma and Zscaler published two simultaneous reports on a new info-stealer, named Mystic Stealer. Debuting on underground forums in April 2023, it gained attention, underwent testing, and incorporated feedback. Ongoing updates have strengthened Mystic Stealer's presence, evident in the rising number of observed C2 panels.
Why cybercriminals are interested
The malware targets a wide range of applications and platforms.
- It can exploit 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, as well as Steam and Telegram credentials.
- Notably, the info-stealer can collect auto-fill data, browsing history, arbitrary files, cookies, and information associated with various popular crypto wallets, including Bitcoin, DashCore, and Exodus.
There’s also a Telegram channel run by criminals called "Mystic Stealer News." The project facilitates discussions on development updates, feature requests, and other relevant topics.
Into the technicalities
- Mystic Stealer is compatible with all Windows versions from XP to 11, supporting both 32-bit and 64-bit operating system architectures. It operates in memory, minimizing its presence on infected systems and evading antivirus detection.
- To avoid execution in sandboxed environments, the malware conducts anti-virtualization checks, examining CPUID details.
- Since May 20, Mystic Stealer includes a loader functionality to fetch additional payloads from the C2 server such as ransomware strains.
- Communication with the C2 is encrypted using a custom binary protocol over TCP, while stolen data is directly sent to the server without being stored on the disk—a unique approach for an info-stealer malware—aiding in evasion.
The bottom line
The future of Mystic Stealer remains uncertain, given the precarious nature of illicit Malware-as-a-Service (MaaS) projects. However, its emergence poses heightened risks for individuals and organizations. Therefore, it is crucial to exercise extreme caution when downloading software from the internet and implementing threat intel sharing and monitoring regularly.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ffc3_shutterstock_2182620491.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3b4a_shutterstock_1628353012.jpg)
