The Mystic Stealer, a malicious software designed to steal credentials and cryptocurrency, has gained popularity among cybercriminals since it emerged in underground marketplaces in April, according to reports by Cyfirma, Inquest, and Zscaler. Despite being relatively new, Mystic Stealer has quickly made its mark due to its advanced capabilities, pricing, and continuous updates based on user feedback.
With a subscription fee of $150 per month or $390 for a three-month subscription, Mystic Stealer shares similar features with other types of malware, enabling it to pilfer data from victims while employing evasive techniques that make it difficult to detect and analyze. Zscaler researchers stated that the developer of Mystic Stealer aims to create a stealer that aligns with current malware trends, focusing on anti-analysis and defense evasion.
Mystic Stealer is capable of stealing a wide range of information, including system details, web browser credentials, browser extensions, and popular cryptocurrencies like Bitcoin and DashCore. It can also obtain Telegram and Steam credentials. Researchers have found that the regions with the highest number of Mystic Stealer incidents are the US, Germany, Finland, France, and Russia.
What sets Mystic Stealer apart from other malware is its commitment to evasion and continuous improvement. The code of Mystic Stealer is heavily obfuscated using techniques such as polymorphic string obfuscation and hash-based import resolution. It also employs a custom binary protocol encrypted with RC4. These evasive techniques make it challenging for security solutions to detect and analyze the malware.
Moreover, the creators of Mystic Stealer took a unique approach to its development. After its initial release, they made the stealer available for testing to underground forum veterans, incorporating their feedback into new versions of the malware. Cyfirma researchers noted that this approach demonstrates an understanding of the significance of validation from established members of the underground community and signifies an ongoing effort to enhance the product.
From a technical perspective, Mystic Stealer is implemented in C for the client and Python for the control panel. It targets all Windows versions from XP to Windows 11, supporting both x86 and x64 architectures. The malware operates in memory and utilizes system calls to compromise targets, leaving no traces on the hard disk during the data exfiltration process. It compresses, encrypts, and transmits the stolen data. Unlike other stealers, Mystic Stealer does not rely on third-party libraries for decrypting target credentials.
To defend against the evasive tactics of Mystic Stealer and similar infostealer malware, organizations are advised to implement robust security measures. This includes a layered defense strategy comprising threat prevention technologies, up-to-date antivirus software, firewalls, and intrusion detection systems. Regular security patching is essential to reduce the risk of infiltration. Continuous monitoring of threat intelligence sources and the sharing of information within security communities can facilitate early detection, response, and mitigation efforts.
Educating employees on security best practices and maintaining a culture of security awareness are crucial to preventing compromise. Organizations should also have a well-defined incident response plan that includes communication protocols, forensics investigation processes, and backup and recovery strategies.
As Mystic Stealer continues to evolve and pose risks in the threat landscape, organizations must stay vigilant and proactive in their approach to cybersecurity to mitigate potential damages caused by such threats.