Mystic Stealer - the new emerging cyberthreat

Since April 2023, an emerging malware called Mystic Stealer has been rapidly spreading among the cybercriminal community. This malicious software is offered for rent for $150 a month on darknet hidden markets and hacking forums. Its victims include 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 password management and multi-factor authentication applications, 55 cryptocurrency browser extensions, Steam and Telegram credentials, and many more. Two separate reports have been released on Mystic Stealer by Zscaler and Cyfirma, warning of the sophistication of the new malware and the rapid growth of its sales, leading to a proliferation of new online campaigns.

The rapid rise and evolution of the Mystic Stealer

Mystic Stealer debuted version 1.0 in late April 2023, but quickly advanced to version 1.2 by the end of May, demonstrating active development on the project. The vendor promoted the new malware on several hacking forums, such as WWH-Club, BHF and XSS, leasing it to potential interested parties for a competitive price of $150 a month or $390 a quarter. The project also maintains a Telegram channel (Mystic Stealer News) where development news, feature requests, and other pertinent topics are discussed. The creator of this new malware is reportedly open to feedback and suggestions from the underground hacking community, to further refine Mystic Stealer. Despite the early stage of development, industry veterans have confirmed the effectiveness of the malware.

Technical details and features of Mystic Stealer

Mystic Stealer is compatible with all versions of Windows from XP to 11, supporting both 32-bit and 64-bit architecture. The malware doesn't need any dependencies, so it has minimal impact on infected systems and operates in memory to avoid detection by antivirus products. Mystic also performs various anti-virtualization checks, such as inspecting CPUID details, to make sure it's not running in sandboxed environments. As of May 20, 2023, the malware author added an upload functionality that allows Mystic to fetch additional payloads from the C2 server. All communication with the C2 is encrypted using a custom binary protocol over TCP, and any stolen data is sent directly to the server without first storing it on disk.

Mystic Stealer theft skills and security tips

On first run, Mystic gathers OS and hardware information, takes a screenshot, and sends this data to the attacker's C2 server. Based on the instructions it receives, the malware can target more specific data stored in web browsers, applications, etc. Apps affected include popular web browsers, password managers, and cryptocurrency wallet applications. While the future of Mystic Stealer is still under discussion, its emergence poses a high risk to users and organizations. The recent addition of an uploader may allow Mystic operators to distribute ransomware to compromised computers, so caution is advised when downloading software from the Internet.