Notorious Mystic Stealer Attacks 40 Web Browsers & 70 Extensions to Steal Login Credentials

by Esmeralda McKenzie
Notorious Mystic Stealer Attacks 40 Web Browsers & 70 Extensions to Steal Login Credentials

Notorious Mystic Stealer Attacks 40 Web Browsers & 70 Extensions to Steal Login Credentials

Mystic Stealer Assaults 40 Web Browsers

A impress-unusual data stealer named Mystic Stealer appeared in April 2023; virtually 40 net browsers and better than 70 browser extensions had their credentials stolen by Mystic.

This spyware also targets Steam, Telegram, and cryptocurrency wallets. Furthermore, the RC4-encrypted proprietary binary protocol is implemented by Mystic.

Namely, the code is considerably obscured the use of polymorphic string obfuscation, hash-basically basically based import resolution, and runtime fixed computation.

Working of Mystic Stealer

Together, Zscaler and InQuest supplied an in-depth technical analysis of the malware. Mystic Stealer specializes in data theft and could well elevate a spread of diverse forms of data.

It is far intended to amass computer data such because the device hostname, user name, and GUID.

Furthermore, it determines the geolocation of a seemingly device user the use of the locale and keyboard structure. Key Info can even honest be extracted from cryptocurrency wallets and net browsers the use of Mystic Stealer’s functionalities.

It gathers data on cryptocurrency wallets, browser history, arbitrary recordsdata, cookies, and auto-occupy data.

Mystic Stealer is supplied to address any predominant cryptocurrency wallet, in conjunction with Bitcoin, DashCore, Exodus, and extra. Mystic can even honest also elevate Steam and Telegram login data.

To decrypt or decode target credentials, the stealer would not require the integration of third-occasion libraries.

“Mystic Stealer collects and exfiltrates data from an infected device after which sends the info to the reveal & control (C2) server that handles parsing”, researchers talked about.

List Of Contrivance Info Gathered By The Malware

  • Keyboard structure
  • Locale
  • CPU data
  • Quantity of CPU processors
  • Conceal dimensions
  • Pc name
  • Username
  • Working processes
  • Contrivance architecture
  • Running device version

The cyber safety data learned that the malware targets over 70 net browser extensions for cryptocurrency theft and employs the an analogous capabilities to target two-part authentication (2FA) services.

lVucE86H6bwpQNfXFiqYqr1aQglwejieDRN0 zbGVWNN0 OA ZwULILN61IAribaFR8hJRDMRmN7twFuTZiVdUcPfu18Yt0nT7Pc6mJvNoFn8zjtzd35fN3jpQttHO ppjzU9S4cgtf3YffCbhsUjw
Mystic Stealer seller posted updates with loader functionality and persistence potential to forums

The potential to obtain and enact unusual malware payloads is called a loader.

This reflects a continual vogue whereby loaders enable one risk actor to promote the dissemination of affiliate malware on compromised gadgets.

Extra, the fixed values in the code are obfuscated and computed dynamically at runtime.

P7fehauDCXuK5 PIb8j9bzgVosqX0Gg5YBhPru64RSwCk cde2p89yUQGFZ2OFV4bM9yE4Qiovop1duxdFNNpmIu cv TQsEzeIui5S6oaM5o0tlZ
Instance Mystic Stealer fixed obfuscation methodology

Mystic Stealer uses a special binary protocol over TCP to work alongside with its reveal and control (C2) servers.

Mystic Stealer Decryption Code
A Python-basically basically based implementation of the decryption algorithm for Mystic C2

The stealer has been associated with many server-net hosting IP addresses in a huge assortment of international locations, in conjunction with nonetheless no longer restricted to registrations in France, Germany, Russia, the USA, and China.

Furthermore, researchers indicate that some servers are found in the online hosting areas of Latvia, Bulgaria, and Russia.

Since Mystic Stealer is a peculiar participant, it is difficult to forecast its future. However it’s a complicated risk with the potential to blueprint off predominant afflict.

Source credit : cybersecuritynews.com

Related Posts