uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Mystic Stealer malware is designed to target 40 web browsers & 70 brow

Over 70 web browser extensions and 40 different web browsers have been found to be targets of the new data-stealing malware known as Mystic Stealer.

The malware, which was initially advertised on April 25, 2023, for $150 a month, targets Steam, Telegram, cryptocurrency wallets, and other services.
It also has a number of sophisticated defense mechanisms.

In an analysis released last week, researchers from InQuest and Zscaler noted that the code was heavily obfuscated using polymorphic string obfuscation, hash-based import resolution, and runtime constant calculation.

Mystic Stealer, like many other crimeware products for sale, focuses on data theft and is created using the C programming language. Python was used in the creation of the control panel.

The malware will receive updates in May 2023 that include a loader component that enables it to fetch and execute next-stage payloads from a command-and-control (C2) server, making it a more dangerous threat.

An individual binary protocol over TCP is utilized for C2 communications. The number of C2 servers that are currently in operation may reach 50. Customers of the stealer can access data logs and other configurations through the control panel, which acts as an interface.

Cybersecurity company Cyfirma, which published a concurrent analysis of Mystic, stated that "the author of the product openly invites suggestions for additional improvements in the stealer" through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community.

The developers of Mystic Stealer "seem to be looking to produce a stealer on par with the current trends of the malware space while trying to focus on anti-analysis and defense evasion," according to the researchers.

The findings come as infostealers have become a sought-after item in the black market, frequently acting as the precursor by making it easier to gather credentials to grant initial access into target environments.

To put it another way, thieves serve as a base for other cybercriminals to launch financially driven campaigns that include ransomware and data extortion components.

Despite their increased popularity, commercially available stealer malware is becoming more lethal and incorporates cutting-edge tactics to evade detection in addition to being marketed at low prices to appeal to a wider audience.

mystical thief.

The steady introduction of new strains like Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys in recent months best exemplifies the stealer world's dynamic and ever-evolving nature.

Information thieves and remote access trojans have been seen concealed inside crypters like AceCryptor, ScrubCrypt (also known as BatCloak), and Snip3, which is another indication of threat actors' efforts to avoid detection.

The development also comes after HP Wolf Security revealed a March 2023 ChromeLoader campaign code-named Shampoo that is designed to install a malicious extension in Google Chrome and steal sensitive data, redirect searches, and inject ads into a victim's browser session.

Users primarily came into contact with the malware through the download of illegal media, such as Cocaine Bear movies. video game software (vbs), or something else," security expert Jack Royer said. These websites con people into running malicious VBScripts on their computers, which starts the infection chain. ".

The PowerShell code that the VBScript launches next uses the "--load-extension" command line argument to open a new Chrome session with the unpacked malicious extension while also closing any open Chrome windows that were previously running.

Additionally, it comes after the identification of the Pikabot malware trojan, a new type of modular malware that can inject payloads from C2 servers like Cobalt Strike and execute arbitrary commands.

Although there is no concrete evidence linking the two families, the implant, which has been active since the beginning of 2023, has been found to resemble QBot in terms of distribution strategies, marketing efforts, and malware behaviors.

According to Zscaler, "Pikabot is a new malware family that employs a broad range of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries.".