Since April 2023, a brand-new information-stealing malware known as “Mystic Stealer” has been advertised on hacking forums and darknet markets, swiftly gaining popularity among cybercriminals.
The spyware, which can be rented for $150 per month, targets 40 online browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, Steam and Telegram credentials, and more.
The advent of the new virus, its sophistication, and what appears to be an increase in sales that puts many new campaigns online are all mentioned in reports on Mystic Stealer that were almost simultaneously released.
Rise of the Mystic Stealer
The project was actively being developed as Mystic Stealer released version 1.0 in late April 2023 and quickly scaled up to version 1.2 around the end of May. On various hacker forums, such as the BHF, WWH-Club, and XSS, the seller advertised the new virus and offered to rent it to interested parties for a reasonable membership fee of $150 per month or $390 each quarter.
Release schedule(Cyfirma)
Additionally, the project runs a Telegram channel called “Mystic Stealer News” where users may discuss feature requests, updates on development, and other pertinent issues. The developer of the new malware reportedly welcomes suggestions for Mystic’s improvement from seasoned members of the underground hacking community and accepts input from them.
Promotion of Mystic Stealer on a hacker forum(Cyfirma)
Even though the malware is still in its early stages of development, Experts in the field have confirmed its effectiveness and affirmed that it is a formidable information stealer.
Technical information
Mystic Stealer supports both 32-bit and 64-bit OS architectures and is compatible with all Windows versions, from XP to 11. The malware functions in memory to evade detection from anti-virus programmes and leaves a small digital trace on infected devices because it does not require any dependencies.
Additionally, Mystic runs a number of anti-virtualization checks, such as looking at the CPUID information to make sure it isn’t being executed in sandboxed settings. The Commonwealth of Independent States (CIS), once known as the Soviet Union, has been included as an exclusion by the creator of Mystic, which may reveal where the new malware came from.
Page for builders on Mystic’s panel(Cyfirma)
A further constraint imposed by the malware’s developer is that it can not run builds that are older than a given date. This restriction may have been established to limit the malware’s exposure to security researchers.
The malware’s creator implemented a loader feature that made it possible for Mystic to retrieve more payloads from the C2 server as of May 20, 2023. All data stolen is transferred straight to the server without being first stored on the disc, and all contact with the C2 is encrypted over TCP using a unique binary protocol.
This strategy is unique for info-stealer malware, but it aids Mystic in avoiding discovery. The C2 endpoints are encrypted with a modified XTEA-based method, and the operator can set up to four of them for resilience.
Install NPAV on your systems to ensure best-in-class security against malware and ransomware attacks. Use NPAV and join us on a mission to secure the cyber world.