Rewterz Threat Alert – An Emerging Threat: Growing Utilization of Mystic Stealer Malware – Active IOCs

Severity

High

Analysis Summary

In April 2023, a new information-stealing malware called ‘Mystic Stealer’ began circulating on hacking forums and darknet markets, quickly gaining popularity within the cybercrime community. This malware, which is available for rent at a price of $150 per month, is designed to target a wide range of sensitive data from various sources.

Mystic Stealer is a versatile malware that can infiltrate 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 multi-factor authentication (MFA) and password management applications, 55 cryptocurrency browser extensions, and is even capable of stealing credentials for platforms like Steam and Telegram. This extensive list of targets makes it a potent threat to both individuals and organizations.

The malware was initially introduced as version 1.0 in late April 2023, but it quickly evolved to version 1.2 by the end of May. This indicates active development and refinement of the malware, making it a concerning threat for the foreseeable future.

The creator of Mystic Stealer advertised the malware on several hacking forums, offering it for rent at a competitive subscription price. Interested individuals could rent it for $150 per month or $390 per quarter. Additionally, the project maintains a Telegram channel called “Mystic Stealer News” where they discuss development updates, feature requests, and other relevant topics.

One notable aspect of Mystic Stealer is that its creator actively seeks feedback from established members of the underground hacking community to improve the malware’s capabilities. Veteran hackers have confirmed that, despite its early development status, Mystic Stealer is a highly effective information-stealing tool.

Mystic Stealer is designed to be compatible with all Windows versions from XP to 11, supporting both 32-bit and 64-bit operating system architectures. It operates without external dependencies, minimizing its footprint on infected systems. The malware resides in system memory, making it harder to detect by antivirus software.

To further avoid detection, Mystic Stealer performs anti-virtualization checks, examining details like CPUID to ensure it is not running in sandboxed environments. Notably, the malware excludes Commonwealth of Independent States (CIS) countries, suggesting a possible connection to this region.

Starting from May 20, 2023, the malware’s author added a loader functionality that allows Mystic Stealer to fetch additional payloads from a command and control (C2) server. All communication with the C2 server is encrypted using a custom binary protocol over TCP, and stolen data is sent directly to the server without being stored on the infected system, a technique aimed at evading detection.

The operator can configure up to four C2 endpoints to ensure resilience, and these endpoints use a modified XTEA-based algorithm for encryption. Upon the initial execution, Mystic Stealer collects information about the operating system and hardware, taking a screenshot and sending this data to the attacker’s C2 server. Depending on the instructions received, the malware then proceeds to target specific data in web browsers, applications, and other sources.

The malware has an extensive list of targeted applications, including popular web browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and more. It also targets various password managers and cryptocurrency wallet apps, making it a significant threat to the security of sensitive information.

Impact

• Sensitive Information Theft
• Credential Theft
• Financial Loss

Indicators of Compromise

MD5

• 9b6ab86dc6b199fc8edf7edf7ae1ddcf
• 311c99a289d0b5aa94b689f6aaf36ca9
• 866b4c6741a9bb480a55d66b361cf110
• 63e139e6777408781e81a119d8162f1f
• c56550c10d43c1e38e41c9c181faf4e5
• 094bcab45794a04974fa3cdbe91276ef

SHA-256

• 7ba1add9e5853f276d5cdd4d3efe6565e025ed43eef8a2dcb2dabe96a6de1ee4
• c01fb5489d9407a2fc9543a44a74d537c84d4bac089442d22dc30bd51857854a
• 6cd9c325b168fb0f426f991ab588933350405197a59885b78ec97bf19f57ca9c
• d3fe6a59c1a3513c32f9f4a9213f0238f83c5d051e306b17dfef2d840d314b6a
• 479265241fadd4a8a8dbce343aaa0580a58727bf995fc75f567232094dc8a562
• eb4413d334e40798e4cf66f1c382a55d5ae18b910834fa27ec55568f11220c14

SHA-1

• 90dbe3d7729d3c555bba9d52658a5fe1a538e9f4
• 46cf24e0b8c70a378ae758b676b2f2fdca262505
• ab3921e6a875fb72983d554027ad925be045998e
• 0d5906860a90d6f2bd74c83cdc3441fb6127c658
• 4a1eb7d9323e20feaf72f0890abe010a5b6d36c4
• 7b5ff7515deeb4f9f8f8e0825995e010416d0239

Remediation

• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats. Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity or system behavior associated with Mystic Stealer or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver the malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications, like Mystic Stealer, being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.