Cloud security provider Zscaler have released a report detailing an emerging information stealer named Mystic Stealer which they have been investigating since its announcement on dark web markets back in April 2023.
What is Mystic Stealer?
Mystic Stealer is a crimeware application written in 2 different programming languages – C has been used for the client and Python for the control panel.
Focusing on data theft, Mystic Stealer exhibits capabilities that allow it to recon and steal a wide array of information such as the system hostname, user name, and GUID. It also identifies a likely system user geo-location using the locale and keyboard layout.
Like many other similar stealers, Mystic Stealer has the ability to collect auto-fill data, browsing history, arbitrary files, cookies, and information related to cryptocurrency wallets from approx. 40 different browsers.
Mystic Stealer can also steal Telegram and Steam credentials.
Staying hidden
In an attempt to remain as silent as possible, Mystic Stealer does not require any third-party libraries for decrypting or decoding victim credentials. Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the command & control (C2) server.
This approach is designed to both keep the size of the binary smaller and the intention less clear to file analysers.
The malware will also terminate execution if the running build is older than a specified date. This is to prevent anti-malware researchers and sandboxes from analysing older versions which may identify weak points in the malware code.
Mystic Stealer contains anti-VM features, detecting hypervisor runtime environments to avoid execution / investigation.
When communicating with the C2 server, Mystic Stealer uses a proprietary communications protocol running over a TCP connection, as detailed below:
- The client sends a hello message containing a constant 4 byte value (0x946F19B5) to the C2 server.
- The C2 responds with 256 bytes of binary data that is used as an RC4 key for all subsequent communications.
- The client obtains the machine GUID from the registry value SOFTWARE\Microsoft\Cryptography\MachineGuid.
- The client encrypts the GUID value (along with this GUID length) using RC4 and sends it to the C2 server.
- The format of packets received from the server consists of a 4 byte big endian data size value followed by the data buffer. All data is encrypted with RC4.
- The C2 server responds back with a binary configuration of the actions to perform (steal credentials, take screenshots, steal cryptocurrency wallets, etc). This configuration is structured by 1’s and 0’s representing whether to enable or disable a feature, respectively.
- Data stolen from the infected system is labeled with specific binary tags that identify the type of information when it is sent to the C2 server.
- Unlike most stealers that will harvest data in full and then exfiltrate it to a C2 server with a single request, Mystic Stealer will collect various types of information and immediately send the data to a C2 server on-the-fly without storing or writing data to the disk, which may be detected by EDR/antivirus applications.