A stealthy stealer that can lift credentials from scores of Web browsers and extensions, and steal cryptocurrency, has quickly become a favorite of cybercriminals since it first appeared on underground marketplaces in April.
The Mystic Stealer has established a strong foothold in the threat landscape in only its first several months of existence thanks to a combination of advanced capabilities, pricing, and the crowdsourcing of recommendations that have led to ongoing updates and improvements. That’s according to two simultaneously released reports, one by Cyfirma and the other a collaboration between Inquest and Zscaler.
The stealer — which typically goes for a subscription fee of $150 per month, or $390 for a three-month subscription — has similar capabilities to pilfer data from a victim’s computer to other forms of this type of malware, paired with obfuscation techniques that make it, by design, capable of advanced evasion, the researchers said.
“It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion,” Zscaler researchers wrote in their post.
Mystic Stealer can steal a wide array of information, ranging from computer data such as the system hostname, username, and GUID, to credentials from nearly 40 Web browsers and more than 70 browser extensions, they said. Additionally, it targets Bitcoin, DashCore, Exodus, or any other popular cryptocurrencies, and can steal Telegram and Steam credentials.
So far, the regions where researchers have found the most instances of attackers wielding Mystic Stealer are the US, Germany, Finland, France, and Russia, in that order.
Commitment to Evasion & Malware Improvement
Unique to Mystic Stealer compared to similar forms of malware is its inventors’ vested interested in making it difficult to detect or analyze, as well as a commitment to continuously advancing its capabilities by appealing to its user base for feedback, the researchers said.
In terms of evasion, Mystic Stealer’s code is heavily obfuscated, with its creators using polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants, as well as a custom binary protocol that is encrypted with RC4, according to InQuest and Zscaler.
But perhaps the key reason the malware has caught on so fast — with the researchers already discovering more than 50 actively operational command and control (C2) servers in only about two months — is that its creators did something unique soon after its release. That is, they made the stealer available for testing to underground forum veterans to verify its effectiveness and make suggestions for enhancement, which were incorporated into new versions of the stealer, noted Cyfirma researchers.
“The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product,” Cyfirma researchers wrote in their post. “Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product.”
Mystic Stealer De-Mystified: Technical Details
On the technical side of things, Mystic Stealer is implemented in C for the client and Python for the control panel and is purported to target all Windows versions from XP to Windows 11, with support for both x86 and x64 architectures, according to Cyfirma.
It can evade detection by most AV products, operating in memory and using system calls for compromising targets, the researchers said. This ensures that no trace is left on the hard disk during the data exfiltration process.
“Once target data is identified, the malware compresses, encrypts, and transmits it,” the Cyfirma researchers wrote. “Client authentication is not required; data is transmitted as it is received.
Moreover, its developers created the malware without reliance on third-party libraries for decrypting or in decoding target credentials, both reports noted, which is unique to stealer malware.
“Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system,” the InQuest and Zscaler researchers wrote.
Instead, of doing this, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the C2 server that handles parsing, they said.
“This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers,” the researchers wrote.
Defending Against Infostealers
With the quick spread of the particularly evasive Mystic Stealer — and the prevalence of stealer malware in general — the Cyfirma team recommends that organizations implement robust security measures to avoid compromise in the advent of an attack, the researchers said.
“Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management,” they wrote.
This should include a best-practices layered defense strategy that combines threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching, which can significantly reduce the risk of Mystic Stealer infiltration, the researchers said.
Organizations should also put into place continuous monitoring of threat-intelligence sources by sharing threat information within security communities and leveraging threat-intelligence feeds so they can stay updated on the latest indicators of compromise associated with Mystic Stealer, the researchers said. “This allows for early detection, response, and mitigation efforts,” they wrote.
Educating employees on security best practices, how to recognize phishing attempts — which may attempt to spread the stealer — and maintaining an overall culture of security awareness is also crucial to helping organizations avoid compromise, the researchers said.
Finally, every organization should have a strong incident-response plan in case of attack that includes communication protocols, forensics investigation processes, and backup and recovery strategies, they added.