Mystic Stealer, an information stealer, can steal data from nearly 40 browsers and can evade detection with its enhanced coding.
The code is obfuscated using polymorphic string obfuscation and hash-based import resolution. This malware specifically targets cryptocurrency wallets along with various other applications and files, aiming to gain unauthorized access to sensitive information.
Mystic Stealer collects credentials and data from platforms like Telegram and Steam, enabling hackers and scammers to carry out cyber espionage activities. In addition, Mystic Stealer has the capability to pilfer various device-related information such as hostname, username, GUID, and even geolocation by exploiting keyboard layouts.
Data pilfered by Mystic Stealer
The keyboard layout is accessed by the malware to be sent to the hackers. It reads the CPU data and the number of CPU processors.
Furthermore, it accesses the screen dimensions and the processes running on the machine. It also sends the operating system version and the system architecture to the command and control (C2) server.
Browser data
- Autofill data
- History
- Arbitrary files
- Cookies
Cryptocurrency data from wallets
- Bitcoin
- DashCore
- Exodus
Mystic stealer differs from other stealers as it does not depend on third-party libraries for decrypting credentials. As opposed to other stealers that show DLL files after installation to extract credentials, the Mystic stealer steals data and sends it to the command and control server that does the parsing of it, a Zscaler blog read.
This may be because the developers of the malware desired to minimize the size of the malware binary. The malware gets implemented in C for the client and uses Python for its control panel.
The malware that has been advertised on the dark web since April, had a new update that the developers of the Mystic stealer advertised on their webpage as shown below –
(Photo: Zscaler)
The advertised features included loader functionalities and a persistence capability to stay on a device for longer.
Termination of the binary after expiration
Mystic stealer will terminate its execution if the running build is older than the developers have marked. This was likely a tactic to evade detection from anti-malware researchers.
(Photo: Zscaler)
The above Mystic stealer sample looks for the system time to compare with the value 1685318914 (0x6473ED02)- which would translate to Sun May 28 17:08:34 2023. The anti-virtualization technique of the Mystic stealer detects the runtime environment to avoid execution when it gets a red flag.
This is done using the CPUID assembly instruction that detects the virtual environment through the results of specific values that identify the presence of virtual software. This detection is aided by checks that the malware performs to detect the 12 bytes manufacturer ID string.
It has been found to look for the following values –
- “XenVMMXenVMM” (Xen HVM)
- “VMwareVMware” (VMware)
- “Microsoft Hv” (Microsoft Hyper-V)
- “ KVMKVMKVM “ (KVM)
- “prl hyperv “ (Parallels)
- “VBoxVBoxVBox” (VirtualBox)
Researchers suspect that the detection code was derived from Pafish, a testing tool that looks for virtual machines.
C2 server interactions with Mystic stealer
The following is a screenshot of the decryption algorithm in Python for the C2 server
(Photo: Zscaler)
Mystic dynamically loads Windows APIs through a custom XOR hashing algorithm in Python. “Constant values in the code are obfuscated and dynamically calculated at runtime,” the Zscaler blog stated about the dynamic constant calculation of the malware.
The data sent to the C2 server is labeled with binary tags to mark the type of data it is. The malware collects all the data from the hacked device and sends it at once to the C2 server without writing it on the disk which further secures the hacker’s attempt from antivirus detection.
Mystic stealer can have up to four C2 endpoints to make it operate even when the device is left offline or it is blocklisted.