Pen testing
C2
Mystic Stealer is an advanced information stealer that came out in April 2023. It can steal data from around 40 web browsers and over 70 browser extensions, cryptocurrency wallets, Steam and Telegram credentials. It’s very good at evading detection with its obfuscation and encrypted communication.
Mystic Stealer can steal a lot of sensitive information. It can get system details like hostname, username, and GUIDs. It can also get auto-fill data, browsing history, cookies, and stored credentials from many web browsers. It can also steal information from cryptocurrency wallets like Bitcoin and DashCore and credentials from apps like Telegram and Steam.
Evasion Techniques
To stay undetected, Mystic Stealer uses many evasion techniques. It runs entirely in memory and leaves a minimal footprint on the system. It does anti-virtualization checks to avoid execution in sandboxed environments so it can evade analysis by security researchers. Its code is heavily obfuscated and uses polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants to make detection and analysis harder.
Distribution and Control
First advertised on hacking forums in April 2023, Mystic Stealer is already popular in the criminal underground. It’s rented out for $150 per month so it’s available to many threat actors. It communicates with its C2 servers using a custom binary protocol over TCP and exfiltrates data securely. It sends stolen data directly to the C2 server without storing it on disk, another technique to evade detection.
As of now, there are no known variants of Mystic Stealer. It’s a new malware and although it’s been updated by its authors, there are no known variants in public sources.
Use advanced endpoint protection to detect and block malware.
Keep all software and systems up to date to patch vulnerabilities.
Educate users about phishing and to download software only from trusted sources.
Monitor network traffic for unusual patterns that may indicate data exfiltration or communication with known malicious servers.
Mystic Stealer doesn’t seem to target specific industries or sectors. It’s capabilities are broad so it’s a threat to anyone, individuals and organizations from any field. It steals credentials and financial info so any entity that handles sensitive data is at risk.
No specific threat actors are associated with Mystic Stealer. It’s sold in underground forums and available to many cybercriminals so attribution to a specific group is hard. Lack of indicators makes it hard to tie its use to specific threat actors.
