Information-stealing malware capable of exploiting 180 web browsers, extensions, crypto applications, MFAs, and password management systems is becoming increasingly popular among hackers.
What’s even more worrisome is that the Mystic Stealer, which is also capable of stealing credentials from Telegram and Steam, is on sale in forums and darknet marketplaces, where buyers pay $150 per month to rent the malware.
A sophisticated stealing malware
The increasing use of Mystic Stealer by malicious players is due to its sophistication, confirm InQuest and Zscaler. Cyfirma said in a report that the spike in the sale of the malware on hacker forums is an indication of its increasing popularity.
A report by Bleeping Computer said that the malware was released in late April 2023. By the end of May, version 1.2 had been released, possibly an improvement from the feedback from initial users.
Backed by a Telegram Channel
Mystic Stealer was aggressively promoted in hacker forums and groups such as BHF, XSS, and WWH-Club.
The report says that the competitive subscription price of $150 per month or $390 per quarter could be responsible for the spread of malware among the cybercrime community. It is even backed by a Telegram channel, Mystic Stealer News, where the developers discuss improvements and other use cases with the members. Feedback from users is also entertained by the maker, who encourages users to make suggestions on the improvements they want to see.
A potent information stealer
The Cyfirma report says that the malware’s capability should not be underestimated, describing it as a potent information stealer even though it is still in its early developmental stage.
The technical details show that it is capable of exploiting Windows XP to 11, supporting 32- and 64-bit OS architectures. The report adds,
“The malware does not need any dependencies, so its footprint on infected systems is minimal, while it operates in memory to avoid detection from anti-virus products. Moreover, Mystic performs several anti-virtualization checks, like inspecting the CPUID details to ensure it is not executed in sandboxed environments.”
The Zscaler/InQuest report says that the maker added some limits that would ensure that the malware’s exposure to security researchers is limited.
Mystic Stealer stealing capabilities
Regarding the malware’s stealing capabilities, the report said,
Upon first execution, Mystic gathers OS and hardware information and snaps a screenshot, sending the data to the attacker’s C2 server. Depending on the instructions it receives, the malware will target more specific data stored in web browsers, applications, etc.
Here is a list of some targeted apps, which include popular web browsers, password managers, and cryptocurrency wallet apps.
Notable entries in the list include:
Google Chrome
Mozilla Firefox
Microsoft Edge
Opera
Vivaldi
Binance
Exodus
Bitcoin
Electrum
Authy 2FA
Gauth Authenticator
EOS Authenticator
LastPass: Free Password Manager
Trezor Password Manager
RoboForm Password Manager
Dashlane: Password Manager
NordPass Password Manager and Digital Vault
Browserpass
MYKI Password Manager and Authenticator
Even though the full capabilities of the Mystic Stealer are still a subject of debate, their emergence no doubt poses a threat to individuals and organizations.
