Mystic Stealer: malware with developer support and user feedback.
By Jason Cole, CyberWire staff writer.
Jun 20, 2023

The currently active malware strain is a stealthy info stealer with robust developer support and community feedback. 

Mystic Stealer: malware with developer support and user feedback.

Mystic Stealer is a new info stealer gaining traction in the cyber threat landscape.

A C2C feedback loop.

As researchers at Cyfirma explain, “The stealer was made available for testing to well-known veterans within the forum, who verified its effectiveness and provided valuable feedback for further enhancements. The threat actors diligently incorporated these recommendations into the stealer, resulting in ongoing updates and improvements. Consequently, Mystic Stealer has begun to establish a stronger foothold in the threat landscape, as evidenced by the rising number of command and control (C2) panels observed in the wild.” 

Mystic Stealer’s unknown developers assist with the installation process on the customer’s Linux server and then hand over complete control of the command-and-control panel. One of the more dangerous aspects of Mystic Stealer is the community feedback from customers. This allows the developers to make the tool more effective and efficient. Researchers at Zscaler report that, “Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications.”

Mystic Stealer’s security evasion functions. 

Zscaler also reports that Mystic Stealer comes with binary expiration that allows it to terminate operation “if the running build is older than a specified date.” This feature is probably intended to prevent researchers from analyzing the malware after it has been employed against a victim for a set time. 

Mystic Stealer also includes an anti-virtualization function which prevents it from running in a virtual machine sandbox environment. The developers of Mystic Stealer also incorporated polymorphic string obfuscation. “The obfuscator generates code at compile time that builds strings on the stack, which are then decrypted at runtime,” Zscaler says. The researchers add, “The obfuscation is polymorphic, and therefore, every sample will contain strings that are uniquely encrypted with simple mathematical operations such as addition, subtraction, and XOR. As a result, this technique may bypass static antivirus signatures and complicate malware reverse engineering. The Mystic Stealer seller refers to this obfuscation as a ‘morpher’ that obfuscates builds with full undetectability (FUD) in sales threads. In one forum, the seller advertised that the project's morpher enabled the bypass of SmartScreen, which members identified as a dubious claim based on the operation of obfuscators and SmartScreen. Some forum users suspected the use of an open-source obfuscator. This ended up as a point of contention in the forum, lowering the perception and trust of the project with some users.” Finally, Mystic Stealer comes with encrypted binary custom protocol, and dynamic constant calculation which further increases its steal and evasion capabilities.

Mystic Stealer isn’t ransomware, but it exhibits some features recently seen in ransomware. 

Erich Kron, a Security Awareness Advocate with KnowBe4, writes “The strain of malware appears to be focused on stealth, combining a memory-resident approach to keep antivirus programs from spotting data when it is written to the hard drive, code manipulation to hide from countermeasures looking for certain code, and by using systems calls to carry out its activity while camouflaging its actions within typical system behavior. Although this is not ransomware, recent attacks by the Clop gang, where the data is being ransomed without encrypting the victim computers, has shown just how valuable the information itself can be. Organizations that deal with sensitive information or cryptocurrency should be aware that they could be prime targets for malware such as this. Defending against these types of advanced malware threats is difficult due to its stealthy nature. Stopping the initial network intrusion, which is often accomplished through simple email phishing, is a key defense. A well-designed security awareness program can help users spot and report phishing attempts quickly and can help them understand the need for unique and complex passwords and multi-factor authentication to secure accounts. Unfortunately, once the network access is achieved, it is hard to spot. Therefore, it is important to ensure that sensitive data is secured well, with permissions limited to those that absolutely require it, and ensure data access is monitored for unusual activity."