Mystic Stealer Malware

Mystic Stealer Malware

Executive Summary

Mystic Stealer is an information-stealing malware first advertised in April 2023. It is designed to pilfer credentials from nearly 40 web browsers and more than 70 browser extensions, targeting also cryptocurrency wallets, Steam, and Telegram accounts. The malware exhibits advanced obfuscation techniques including polymorphic string obfuscation, hash-based import resolution, and encrypted communications via a custom binary protocol encrypted with RC4 to evade detection and analysis​​.

Technical Overview

Mystic Stealer operates by collecting a wide array of information from infected systems. This includes system hostname, user names, GUIDs, probable geolocation based on locale and keyboard layout, browsing history, autofill data, cookies, and information related to cryptocurrency wallets. Unique to Mystic Stealer is its capability to extract this data without requiring third-party libraries for decrypting or decoding target credentials. Instead, it sends the collected data to its command and control (C2) server for parsing​​.

The malware is implemented in C for the client-side and Python for the control panel, indicating a sophisticated approach to its development and deployment​​. It also incorporates functionalities for capturing screenshots and potentially downloading and executing additional payloads based on configurations provided by its C2 server​​.

Indicators of Compromise (IoCs)

While specific IoCs associated with Mystic Stealer, such as IP addresses or domain names, are constantly evolving, the malware has been active since its first appearance in July 2023 with ongoing activities noted as of January 2024.

IP Addresses

103[.]49[.]68[.]42:80

109[.]248[.]206[.]137

111[.]90[.]147[.]137

13[.]208[.]166[.]206

137[.]184[.]185[.]41

171[.]22[.]28[.]235

185[.]196[.]9[.]84

193[.]233[.]255[.]73

194[.]233[.]66[.]229

194[.]87[.]31[.]123

194[.]87[.]31[.]124

194[.]87[.]31[.]31

194[.]87[.]31[.]61

195[.]201[.]175[.]22

202[.]92[.]4[.]174

3[.]111[.]145[.]27

37[.]139[.]129[.]70

41[.]208[.]73[.]44

45[.]155[.]249[.]38

5[.]42[.]64[.]18

5[.]42[.]64[.]20

5[.]42[.]65[.]126

5[.]42[.]92[.]211

5[.]42[.]92[.]43

5[.]42[.]92[.]88

51[.]222[.]106[.]173

81[.]161[.]229[.]236

89[.]187[.]189[.]193

91[.]92[.]242[.]146

91[.]92[.]242[.]59

91[.]92[.]244[.]211

94[.]156[.]6[.]75

94[.]156[.]67[.]155

95[.]214[.]27[.]149

URL's

hxxp://193[.]233[.]254[.]61/loghub/master
hxxp://193[.]233[.]255[.]73/loghub/master
hxxp://193[.]233[.]49[.]38/loghub/master
hxxp://5[.]42[.]64[.]20/loghub/master
hxxp://5[.]42[.]92[.]211/loghub/master
hxxp://5[.]42[.]92[.]43/loghub/master
hxxp://5[.]42[.]92[.]88/loghub/master
hxxp://89[.]23[.]107[.]222/login/
hxxp://static[.]165[.]216[.]130[.]94[.]clients[.]your-server[.]de/login/

Mitigation and Defense Strategies

Defensive measures against Mystic Stealer include:

  • Regular updates to antivirus and endpoint detection and response (EDR) tools to detect and mitigate the threat posed by Mystic Stealer.
  • Employing network monitoring solutions to detect anomalous activities indicative of Mystic Stealer's communication with its C2 servers.
  • Training staff to recognize phishing attempts, a common vector for Mystic Stealer infections.
  • Utilizing application whitelisting to prevent the execution of unauthorized applications.
  • Implementing strict access controls and segmenting networks to limit the spread and impact of infections.

Conclusion

Mystic Stealer represents a significant threat to individual and organizational cybersecurity due to its comprehensive data theft capabilities and sophisticated evasion techniques. Organizations are advised to adopt a multi-layered security approach to protect against such threats and remain vigilant by keeping abreast of the latest cybersecurity threats and IoCs​​.

References

  1. Zscaler: Offers a detailed analysis of Mystic Stealer's data theft capabilities and its evasion techniques such as binary expiration and anti-virtualization measures.
    URL: Zscaler Mystic Stealer Analysis
  2. The Hacker News: Discusses Mystic Stealer's role in the cybercriminal economy, emphasizing its function as a precursor to ransomware and other financially motivated attacks.
    URL: The Hacker News Mystic Stealer Coverage
  3. InQuest: Provides technical insights into Mystic Stealer's encrypted binary custom protocol for C2 communications and its polymorphic string obfuscation.
    URL: InQuest Mystic Stealer Technical Analysis
  4. Heimdal Security: Outlines Mystic Stealer's features, its presence on dark web forums, and the developers' engagement with the cybercriminal community.
    URL: Heimdal Security Mystic Stealer Report
  5. NordVPN: Provides an overview of Mystic Stealer, potential infection symptoms, common spread methods, and protective measures.
    URL: NordVPN Mystic Stealer Description