Mystic Stealer Targets Huge Range of Browsers, Extensions

A recently discovered malware named Mystic Stealer has been identified as a data-stealing threat capable of targeting a wide range of web browsers and browser extensions, totaling around 40 and 70, respectively.

Initially promoted on April 25, 2023, with a monthly cost of $150, this malicious software not only focuses on pilfering data but also aims at compromising cryptocurrency wallets, Steam accounts, and Telegram. To ensure its effectiveness, Mystic Stealer employs sophisticated measures to resist analysis.

In a recent analysis conducted by researchers from InQuest and Zscaler, it was revealed that the malware's code is heavily obfuscated, utilizing techniques such as polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants. This complexity adds an extra layer of difficulty for researchers trying to understand its inner workings.

Mystic Stealer, like other crimeware solutions available for purchase, is implemented using the C programming language. The control panel accompanying the malware is developed in Python and provides buyers with access to data logs and configuration settings.

Updates made to Mystic Stealer in May 2023 introduced a loader component, enabling the retrieval and execution of subsequent payloads from a command-and-control (C2) server. This enhancement significantly enhances the threat posed by the malware.

Mystic's Mode of Operation

Communication with the C2 servers is accomplished using a custom binary protocol over TCP. Researchers have discovered the existence of approximately 50 operational C2 servers to date. Additionally, the control panel serves as the interface for buyers, allowing them to interact with the stolen data and adjust various settings.

Cybersecurity firm Cyfirma conducted a concurrent analysis of Mystic Stealer and reported that the malware's developer actively seeks suggestions for further improvements via a dedicated Telegram channel. This indicates a deliberate effort to engage with the cybercriminal community and stay up-to-date with the latest trends.

The researchers concluded that the developer of Mystic Stealer aims to create a data-stealing tool that aligns with current malware trends, with a particular focus on evading analysis and defense mechanisms.

The emergence of information-stealing malware as a valuable commodity in the underground economy has led to an increase in popularity. These stealers often serve as a foundation for other cybercriminals, enabling them to launch financially motivated campaigns involving ransomware and data extortion.

However, off-the-shelf stealers are not only becoming more affordable for a wider audience, but they are also evolving with advanced techniques to remain undetected and avoid scrutiny.