BleepingComputer | New Mystic Stealer malware increasingly used in attacks

Originally posted on BleepingComputer here

Written by Bill Toulas

A new information-stealing malware named ‘Mystic Stealer,’ has been promoted on hacking forums and darknet markets since April 2023, quickly gaining traction in the cybercrime community.

The malware, rented for $150/month, targets 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, Steam and Telegram credentials, and more.

Reports on Mystic Stealer, published almost simultaneously in a joint report between InQuest and Zscaler and a separate report by Cyfirma, warn about the emergence of the new malware, its sophistication, and what appears to be a surge in sales that brings many new campaigns online.

Mystic Stealer’s rise

Mystic Stealer debuted version 1.0 in late April 2023 but quickly ramped up to version 1.2 towards the end of May, indicating an active development for the project.

Release timeline
Release timeline (Cyfirma)

The seller advertised the new malware on multiple hacking forums, including the WWH-Club, BHF, and XSS, renting it to interested individuals for the competitive subscription price of $150 per month or $390 per quarter.

Mystic Stealer promoted on hacking forums
Mystic Stealer promoted on hacker forum (Zscaler/InQuest)

The project also operates a Telegram channel (Mystic Stealer News) where development news, feature requests, and other relevant topics are discussed.

It is reported that the creator of the new malware accepts feedback from established members of the underground hacking community and openly invites them to share suggestions for improving Mystic.

Cyfirma reports that veterans in the space have verified the malware’s effectiveness and confirmed that despite its early development status, it is a potent info-stealer.

User feedback on forums
User feedback on forum(Cyfirma)

Technical details

Mystic Stealer can target all Windows versions, including XP to 11, supporting 32 and 64-bit OS architectures.

The malware does not need any dependencies, so its footprint on infected systems is minimal, while it operates in memory to avoid detection from anti-virus products.

Moreover, Mystic performs several anti-virtualization checks, like inspecting the CPUID details to ensure it is not executed in sandboxed environments.

Mystic’s author has added an exclusion for Commonwealth of Independent States (CIS) countries (formerly the Soviet Union), which could indicate the new malware’s origin.

The Zscaler/InQuest report says that another restriction set by the creator is to prevent the malware from running builds older than a specified date, possibly to minimize the malware’s exposure to security researchers.

Starting May 20, 2023, the malware’s author added a loader functionality allowing Mystic to fetch additional payloads from the C2 server.

All communication with the C2 is encrypted using a custom binary protocol over TCP, while all stolen data is sent directly to the server without first storing it on the disk.

This is an unusual approach for info-stealer malware but helps Mystic evade detection.

The operator can configure up to four C2 endpoints for resiliency, which are encrypted using a modified XTEA-based algorithm.

Builder page on Mystic's panel
Builder page on Mystic’s panel (Zscaler/InQuest)

Stealing capabilities

Upon first execution, Mystic gathers OS and hardware information and snaps a screenshot, sending the data to the attacker’s C2 server.

Depending on the instructions it receives, the malware will target more specific data stored in web browsers, applications, etc.

Zscaler and Inquest’s report gives the complete list of targeted apps, which includes popular web browsers, password managers, and cryptocurrency wallet apps.

Notable entries in the list include: 

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Opera
  • Vivaldi
  • Brave-Browser
  • Binance
  • Exodus
  • Bitcoin
  • Litecoin
  • Electrum
  • Authy 2FA
  • Gauth Authenticator
  • EOS Authenticator
  • LastPass: Free Password Manager
  • Trezor Password Manager
  • RoboForm Password Manager
  • Dashlane — Password Manager
  • NordPass Password Manager & Digital Vault
  • Browserpass
  • MYKI Password Manager & Authenticator

Although the future of Mystic Stealer is still in debate, considering the volatile nature of illegal MaaS projects, its emergence signals elevated risk for users and organizations.

The recent addition of a loader could help Mystic operators drop payloads such as ransomware onto compromised computers, so extreme caution is advised when downloading software from the internet.