Mint Stealer is a Python-based infostealer that covertly harvests sensitive information from infected machines, primarily browser credentials, and is marketed on underground forums by Artem, who runs a bulletproof hosting service. The article covers its modus operandi, history, and the threat actor behind it, including Cash Hosting and related services, with notes on potential discontinuation. #MintStealer #Artem
Keypoints
- Mint Stealer is a low-profile Python-based infostealer.
- It targets credentials from Chromium-based browsers (Chrome, Brave, Yandex), Gecko-based (Firefox, Waterfox), Opera, and related data (passwords, cookies, autofills, credit cards, history, downloads, bookmarks).
- Distributed via phishing and promoted on underground markets, marketed at approximately $20 per week (advertised as Fully Undetectable).
- Threat actor behind Mint Stealer is Artem, who runs Cash Hosting and related offensive services (Cashout, Cash Ransomware, Cash RAT, Amail Hosting).
- Mint Stealer has active timelines in 2023 and 2024, with multiple domains and infrastructure changes observed.
- The operation includes a built-in C2, logs sharing, and a marketing/log-sharing ecosystem to attract new actors.
- In July 2024 there were announcements suggesting discontinuation of CashOut/Mint Stealer services, with potential revamps in the future.
MITRE Techniques
- [T1003] Credential Dumping β Steals credentials from browsers and applications. βSteals credentials from browsers and applications.β
- [T1071] Command and Control β Uses embedded C2 communication channels for data exfiltration. βUses embedded C2 communication channels for data exfiltration.β
- [T1566] Phishing β Disguises as legitimate files to spread the malware. βDisguises as legitimate files to spread the malware.β
- [T1022] Data Encrypted β Utilizes encryption methods for data exfiltration. βUtilizes encryption methods for data exfiltration.β
Indicators of Compromise
- [Hash] Mint Stealer MD5 hashes β e6e620e5cac01f73d0243dc9cf684193, afefdbd2bf7a6a622eaf09ab4a1adb3b, and other 6+ hashes
- [IP] High Confidence IP List β 94.156.79.162, 109.236.93.59, and other items
- [Domain] Mint Stealer domains β mint-stealer.top, mint-c2.top, mint-stl.ru
- [File] Common filenames used β Update.exe, vadimloader.exe, vadimloader
- [Email] Contact emails associated with operator β [email protected], [email protected]
Read more: https://medium.com/coinmonks/mint-stealer-running-by-a-bulletproof-hoster-0983df47a411