A new information-stealing malware called mystic stealer It was found to steal data from around 40 different web browsers and over 70 web browser extensions.
First advertised on April 25, 2023 for $150/month, the malware also targets cryptocurrency wallets, Steam, and Telegram, employing extensive mechanisms to resist analysis.
“The code is highly obfuscated using polymorphic string obfuscation, hash-based import resolution, and runtime computation of constants,” InQuest and Zscaler researchers said in an analysis published last week.
Mystic Stealer, like many other crimeware solutions on the market, focuses on data theft and is implemented in the C programming language. The control panel is developed using Python.
The May 2023 malware update includes a loader component that can retrieve and execute next-stage payloads obtained from command and control (C2) servers, making the threat even more potent.
C2 communication is accomplished using a custom binary protocol over TCP. As many as 50 operational C2 servers have been identified to date. The control panel serves as an interface for thief buyers to access data logs and other settings.
Cybersecurity firm Cyfirma, which also released Mystic’s analysis, said via a dedicated Telegram channel that “the creators of the product are openly soliciting suggestions for further improvements to Stealer,” in an attempt to court the cybercriminal community. It shows that you are working hard.
“Mystic Stealer’s developers are clearly trying to create a stealer that matches current trends in the malware space while focusing on anti-analysis and defense evasion,” the researchers said.
The findings come at a time when information thieves have emerged as a hot commodity in the underground economy, often acting as a precursor to facilitating the gathering of credentials that enable initial access to target environments. I was.
In other words, stealers serve as a platform for other cybercriminals to launch financial campaigns with ransomware and data extortion elements.
Despite its surge in popularity, off-the-shelf stealer malware has evolved to become more deadly and invisible, rather than being marketed at an affordable price to appeal to a wider audience. Packed with advanced techniques.
The ever-evolving volatile nature of the Stealer Universe is best illustrated in recent months by the steady introduction of new species such as the Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys.
Additional indications threat actors are attempting to evade detection include information stealers and remote access Trojans packaged within cryptographic tools such as AceCryptor, ScrubCrypt (aka BatCloak), and Snip3.
This development was launched by HP Wolf Security on March 2023, designed to install a malicious extension on Google Chrome, steal sensitive data, redirect searches, and inject advertisements into the victim’s browser session. It coincided with detailing a ChromeLoader campaign codenamed Shampoo for the month.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“Users encountered malware mainly by downloading illegal content such as movies (Cocaine Bear.vbs) and video games,” said security researcher Jack Royer. “These websites trick victims into running malicious VBScripts on their PCs, starting an infection chain.”
The VBScript then creates a PowerShell code that can close all existing Chrome windows and open a new session with the unzipped rogue extension using the “–load-extension” command line argument. Proceed to boot.
It also follows the discovery of a new modular malware Trojan dubbed Pikabot, capable of executing arbitrary commands and injecting payloads provided by C2 servers such as Cobalt Strike.
The implant has been active since early 2023 and has been found to have similarities to QBot in terms of distribution methods, campaigns, and malware behavior, but there is no conclusive evidence linking the two families.
“Pikabot is a new malware family that implements an extensive set of anti-analysis techniques and provides common backdoor functionality to load shellcode and execute arbitrary second-stage binaries,” Zscaler said. said.
