Mystic Stealer – Evolving “stealth” Malware

EXECUTIVE SUMMARY

Information stealers pose an ongoing and dynamic threat to the security of both individuals and organizations. CYFIRMA’s Research team recently discovered an information stealer called “Mystic Stealer” being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations. This threat actor continuously enhances the malware, incorporating new features to enhance its effectiveness and expand its user base. Our open-source intelligence (OSINT) investigation revealed the existence of over 50 active command and control (C2) servers, indicating the growing prevalence of this threat. Given the consistent demand for potent information stealers, “Mystic Stealer” emerges as a potential contender in this domain. This report provides comprehensive insights into Mystic Stealer’s capabilities and presents our OSINT findings.

INTRODUCTION

In late April 2023, Mystic Stealer made its debut in prominent underground forums, attracting attention with its advertised features, capabilities, and pricing. Over the subsequent weeks, the stealer was made available for testing to well-known veterans within the forum, who verified its effectiveness and provided valuable feedback for further enhancements. The threat actors diligently incorporated these recommendations into the stealer, resulting in ongoing updates and improvements. Consequently, Mystic Stealer has begun to establish a stronger foothold in the threat landscape, as evidenced by the rising number of command and control (C2) panels observed in the wild.

KEY OBSERVATIONS

• The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product. Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product.
• The assessment of AV check (Fig 10) results, indicate a relatively low detection rate, potentially attributed to the builder’s capability to alter the source code, thereby evading detection.
• Our investigation based on open-source intelligence (OSINT) has uncovered the existence of more than 50 actively operational command and control (C2) servers. This finding underscores the increasing prevalence of Mystic Stealer in the cyber threat landscape.
• The Stealer’s subscription is available for USD 150 per month, while a three- month subscription costs USD 390. Additionally, the threat actor intends to raise the prices in response to the increasing popularity of the stealer.

KEY FEATURES OF MYSTIC STEALER AND BUILDER

STEALER

• The server is written in Python, while the client is written in C.
• Mystic Stealer exhibits a low detection rate based on AV check (Fig 10) results, employing code manipulation techniques to evade detection by most antivirus products.
• The malware is purported to target all Windows versions from XP to Windows 11, supporting both x86 and x64 architectures.
• It operates in memory to avoid detection and utilizes system calls for compromising targets, ensuring no trace is left on the hard disk during the data exfiltration process. Once target data is identified, the malware compresses, encrypts, and transmits it. Client authentication is not required; data is transmitted as it is received.
• The malware is developed without reliance on third-party libraries and incorporates a self-written browser database parser for enhanced functionality.
• The use of malware within CIS countries is strictly prohibited and constrained by software functionality.

BUILDER

• The buyer is granted full and exclusive control over the Command and Control (C&C) panel, which is installed on their own server. The threat actor provides assistance during the installation process. Notably, the C&C panel is exclusively compatible with LINUX servers. This setup allows the buyer to store logs (Fig 5,6) locally, ensuring security and data control.
• Minimum server requirements specification:
  • 8 Cores
  • 8 RAM
  • UBUNTU 22.04 / 23.04 DEBIAN 10 / 11.
• The C&C panel can be accessed from any computer, using the IP address and port details of the installed server.
• The builder facilitates easy creation of either .exe or DLL files, enabling effortless propagation, depending on the desired infection chain. The resulting builds are lightweight, typically ranging from 200 to 250 KB in size.
• The malware builder includes a feature that allows the buyer to grant team members permission to access the panel and view results, while restricting their ability to download logs (Fig 6, 7).
• Loader with the function of adding to autoload for ease of use.
• The simple and visually appealing C&C panel has received positive feedback from veterans in the underground forum as it facilitates the effortless creation of malware through preconfigured build options.

COLLECTION CAPABILITY (FIG 8)

• Passwords, cookies, autofill, credit cards, and history from popular browsers, based on Chromium and Mozilla
• Cryptocurrency wallet extension – Over 70 extensions
• Outlook password collection
• Files according to user settings
• System Information
• Screenshot

EVOLUTION TIMELINE

RECEPTION ON THE UNDERGROUND MARKET

Well-known veterans in different underground forums have acknowledged the asserted proficiency of the stealer, offering constructive feedback to enhance its performance, resulting in regular updates, aimed at refining the product. Additionally, they have emphasized the threat actor’s friendly and accommodating behavior during the assessment of the builder and malware. Such commendations instill confidence in prospective buyers seeking a reliable stealer malware solution for their operational needs.

We also observed the threat actor using this positive feedback to gather attention and popularize the stealer in underground forums.

C&C PANEL VIEW

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW:

Impact Assessment

Mystic Stealer, a sophisticated and evolving malware, presents significant risks and potential impacts from the perspective of external threat landscape management. Impact includes data breaches, financial losses, operational disruptions, regulatory compliance challenges, and reputational damage. These sophisticated malware strains covertly infiltrate systems, extracting sensitive information and compromising personal identifiable data, financial records, and intellectual property. The consequences of such breaches include financial liabilities, loss of customer trust, reputational harm, and potential legal repercussions.

Victimology

Companies that handle sensitive data, such as personally identifiable information (PII), financial records, or intellectual property, are attractive targets for Mystic Stealer. Industries such as healthcare, finance, and technology may be specifically targeted due to the potential value of the data they possess. Along with that, Mystic Stealer specifically targets individuals involved in cryptocurrency transactions. This includes users of cryptocurrency wallets, traders, and those engaged in mining activities. The malware aims to steal cryptocurrency wallets, private keys, or login credentials to gain unauthorized access to these assets.

CONCLUSION

Mystic is an efficient stealer which continuously improves its capability in a short period of time, based on users’ upgrade needs, and provides complete control over data. It is equipped with an individually configurable panel, which is installed on the server, along with a powerful morpher that allows flexible morphing of sources. Additionally, it includes a convenient loader, featuring an autoload function. Mystic is capable of extracting data from browsers that are built on Chromium and Mozilla platforms. Furthermore, it can process information from more than 70 cryptocurrency extensions and Outlook. It is emphasized that all logs are securely stored and decrypted on the server to maximize security and transparency. These capabilities of Mystic Stealer and good reviews by veterans in the underground forum increase its presence in the threat landscape, posing a significant threat to organizations and individuals.

MITIGATION STRATEGIES/RECOMMENDATIONS

To effectively manage the impact of Mystic Stealer and similar threats, organizations should focus on proactive measures:

• Robust Security Measures: Implementing a layered defense strategy with advanced threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching can significantly reduce the risk of Mystic Stealer infiltration.
• Threat Intelligence and Monitoring: Continuous monitoring of threat intelligence sources, sharing information within security communities, and leveraging threat intelligence feeds can help organizations stay updated on the latest indicators of compromise associated with Mystic Stealer. This allows for early detection, response, and mitigation efforts.
• Employee Awareness and Training: Educating employees on security best practices, recognizing phishing attempts, and maintaining a culture of security awareness are crucial. Regular training programs and simulated phishing exercises can empower employees to identify and report potential threats, reducing the likelihood of successful Mystic Stealer infections.
• Incident Response and Recovery Planning: Developing a robust incident response plan that includes communication protocols, forensics investigation processes, and backup and recovery strategies is essential. Being well- prepared can help minimize the impact of a Mystic Stealer attack.

Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management. By implementing a proactive approach to security, maintaining strong defenses, fostering employee awareness, and having effective incident response plans in place, organizations can minimize the impact of Mystic Stealer and enhance their resilience to emerging threats.

APPENDIX I

Indicators of Compromise