Select Page

A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions.

First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.

“The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants,” InQuest and Zscaler researchers said in an analysis published last week.

Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python.

Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat.

C2 communications are achieved using a custom binary protocol over TCP. As many as 50 operational C2 servers have been identified to date. The control panel, for its part, serves as the interface for buyers of the stealer to access data logs and other configurations.

Cybersecurity firm Cyfirma, which published a concurrent analysis of Mystic, said, “the author of the product openly invites suggestions for additional improvements in the stealer” through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community.

“It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion,” the researchers said.

images from Hacker News