Mystic Stealer New Malware Discovered
Mystic Stealer is a dangerous new malware that infiltrates systems to steal sensitive information like passwords and financial data. It spreads through phishing emails and malicious downloads, posing a significant threat to cybersecurity. Stay vigilant and protect your devices against this emerging threat.
Recently advertised at $150 per month starting from April 25, 2023, this malware goes beyond traditional targets. It specifically aims at cryptocurrency wallets, Steam, and Telegram, while employing advanced techniques to evade analysis. In an analysis published last week, researchers from InQuest and Zscaler highlighted the malware’s heavy obfuscation of code through polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants.
Mystic Stealer, a data-stealing malware, is implemented in the C programming language and has a Python-based control panel. Recent updates in May 2023 have introduced a loader component, enabling it to execute next-stage payloads fetched from a command-and-control server.
It utilizes a custom binary protocol over TCP for communication, with approximately 50 operational C2 servers identified so far. The control panel serves as an interface for buyers, allowing access to data logs and configurations. Cybersecurity firm Cyfirma noted the author’s active engagement with the cybercriminal community, seeking suggestions for further enhancements through a dedicated Telegram channel, report said
The researchers observed that the developer of Mystic Stealer aims to create a malware solution that aligns with current trends in the malware landscape. Their focus lies on implementing anti-analysis and defense evasion techniques to enhance its effectiveness.
Infostealers have become highly sought-after in the underground economy as they enable cybercriminals to gather credentials and gain initial access to target systems. These stealers serve as a foundation for financially motivated campaigns involving ransomware and data extortion. While the popularity of stealers has surged, they are not only affordable but also evolving with advanced techniques to evade detection.
How it work
According to security researcher Jack Royer, users often encounter this malware when they download illegal content like movies (Cocaine Bear.vbs), video games, or others. These websites deceive victims into running a malicious VBScript on their computers, which triggers the infection process.
The executed VBScript triggers PowerShell code that closes all open Chrome windows and initiates a new session with an unpacked rogue extension using the “–load-extension” command line argument.
In addition, a new modular malware trojan called Pikabot has been discovered. It has the capability to execute arbitrary commands and inject payloads provided by a C2 server, such as Cobalt Strike. Active since early 2023, Pikabot shares similarities with QBot in terms of distribution methods, campaigns, and malware behaviors, although there is no conclusive evidence linking the two families.
Pikabot, a recently discovered malware family, utilizes various anti-analysis techniques and provides common backdoor capabilities. These capabilities enable Pikabot to load shellcode and execute arbitrary second-stage binaries, Zscaler said