Rewterz Threat Alert – Mystic Stealer Malware – Active IOCs

Severity

Medium

Analysis Summary

A new information-stealing malware called Mystic Stealer emerged in April 2023, gaining popularity in cybercrime circles. It targets various web browsers, browser extensions, cryptocurrency apps, multi-factor authentication (MFA) tools, and more. The malware is rented for $150/month and has quickly evolved from version 1.0 to 1.2 by late May 2023. It is advertised on hacking forums and operates a Telegram channel for updates.

Mystic Stealer is effective on Windows XP to 11, operates in memory to avoid detection, and performs anti-virtualization checks. It excludes Commonwealth of Independent States (CIS) countries and avoids running on older builds, possibly to evade security researchers. It fetches payloads from a command-and-control (C2) server, encrypting communications and sending stolen data directly to the server.

The malware gathers system information, takes screenshots, and targets specific data in browsers and applications. Notable targets include popular browsers, password managers, and cryptocurrency wallets. Mystic Stealer’s future is uncertain, but its appearance raises concerns about elevated risks for users and organizations. The addition of a loader could enable operators to drop ransomware, emphasizing caution when downloading software from the internet.

Impact

• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

MD5

• b3bf121408333b33a341d719b507d33d
• b8ebcfc0445e723f536389bfbbe976ac
• f6e2997bda4c1619b1025d496a2a1c7b

SHA-256

• cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85
• 386cd47f4060dc5fb5186c8257f778653e2ce2c9b42edcc44f0b5d27953b3d0a
• ce8c9483ccfee44272881aa17481ac3928048ab93e9de22e60e339c4c348efd0

SHA-1

• 4f46d893542e0057ab3974dbb78aaf3740e9289c
• 3b3f2e64ba08f66304dbde440e74ba83795f3a17
• c686e1924e17643a9cacd279b887fb89a22ad69c

Remediation

• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
• Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links, such as those used in Ducktail infostealer campaigns.
• Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or Facebook Business accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Maintain regular backups of critical data, including Facebook Business account information, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss.