Mystic Stealer, a dangerous information stealer malware, has the ability to steal data from nearly 40 different browsers and can cleverly evade detection through its advanced coding techniques. The code is obfuscated using polymorphic string obfuscation and hash-based import resolution, making it difficult for antivirus systems to detect.
This particular malware targets cryptocurrency wallets, as well as various other applications and files, with the intention of gaining unauthorized access to sensitive information. By collecting credentials and data from platforms like Telegram and Steam, hackers and scammers are able to carry out cyber espionage activities.
In addition to accessing sensitive information from cryptocurrency wallets and platforms, Mystic Stealer can also pilfer various device-related data. It is able to access information such as hostname, username, GUID, and even geolocation by exploiting keyboard layouts. This data is then sent to the hackers.
Mystic Stealer goes beyond typical information stealers by not relying on third-party libraries to decrypt credentials. Unlike other stealers that extract credentials by showing DLL files after installation, the Mystic Stealer steals the data and sends it to the command and control server for parsing. This method likely reduces the size of the malware binary.
The implementation of Mystic Stealer is done in C for the client, while Python is used for its control panel. The developers of the malware have been advertising it on the dark web since April, and have recently released a new update that includes loader functionalities and a persistence capability to remain on a device for a longer period of time.
To evade detection from anti-malware researchers, Mystic Stealer will terminate its execution if the running build is older than what the developers have determined. This tactic ensures that the malware remains undetected by constantly evolving security systems.
The malware also includes an anti-virtualization technique that detects the runtime environment to avoid execution when a virtual environment is detected. This is done using CPUID assembly instructions and specific values that identify the presence of virtual software. The detection code used by Mystic Stealer is suspected to have been derived from Pafish, a testing tool that looks for virtual machines.
The interaction between Mystic Stealer and its command and control (C2) server is critical to its operation. The malware dynamically loads Windows APIs through a custom XOR hashing algorithm in Python. Constant values in the code are obfuscated and dynamically calculated at runtime, making it more difficult to analyze. The data collected by the malware is then sent to the C2 server and labeled with binary tags to indicate the type of data. This method allows the hackers to collect all the data from the compromised device and send it at once to the server without writing it to disk, further protecting their activities from antivirus detection.
Mystic Stealer can have up to four C2 endpoints, ensuring its operation even when the device is offline or blocklisted. This makes it difficult for security measures to effectively block access to the C2 server.
In conclusion, Mystic Stealer poses a significant threat to individuals and organizations by targeting sensitive information, particularly cryptocurrency wallets. Its advanced coding techniques and anti-detection mechanisms make it a formidable malware that is able to evade traditional security measures. It is crucial for individuals and organizations to stay vigilant and employ robust security measures to protect against such threats.