Info Stealing
Windows
Credential Stealer
Mystic Stealer is an advanced information stealer that came out in April 2023. It can steal data from around 40 web browsers and over 70 browser extensions, cryptocurrency wallets, Steam and Telegram credentials. It’s very good at evading detection with its obfuscation and encrypted communication.
Mystic Stealer can steal a lot of sensitive information. It can get system details like hostname, username, and GUIDs. It can also get auto-fill data, browsing history, cookies, and stored credentials from many web browsers. It can also steal information from cryptocurrency wallets like Bitcoin and DashCore and credentials from apps like Telegram and Steam.
Evasion Techniques
To stay undetected, Mystic Stealer uses many evasion techniques. It runs entirely in memory and leaves a minimal footprint on the system. It does anti-virtualization checks to avoid execution in sandboxed environments so it can evade analysis by security researchers. Its code is heavily obfuscated and uses polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants to make detection and analysis harder.
Distribution and Control
First advertised on hacking forums in April 2023, Mystic Stealer is already popular in the criminal underground. It’s rented out for $150 per month so it’s available to many threat actors. It communicates with its C2 servers using a custom binary protocol over TCP and exfiltrates data securely. It sends stolen data directly to the C2 server without storing it on disk, another technique to evade detection.
Use advanced endpoint protection to detect and block malware.
Keep all software and systems up to date to patch vulnerabilities.
Educate users about phishing and to download software only from trusted sources.
Monitor network traffic for unusual patterns that may indicate data exfiltration or communication with known malicious servers.
