Threat Research

Cyble – Mitsu Stealer Distributed Via AnyDesk Phishing Site

Securonix

A phishing site impersonating AnyDesk delivered a stealer named Mitsu Stealer by tricking victims into downloading a malicious Anydesk.exe. The malware exfiltrates browser credentials, wallet data, and Discord tokens via a Discord webhook and even attempts to replace Discord’s index.js to load further malicious code. Hashtags: #MitsuStealer #AnyDesk #Discord #DiscordWebhook #Phishing #GitHub #BetterDiscord

Keypoints

  • The phishing site at anydesk.ml impersonates the genuine AnyDesk site, luring users to click the Downloads button to get malware.
  • The downloaded Anydesk.exe is Mitsu Stealer, reportedly based on Python code from a GitHub repository and compiled into a 64-bit Windows executable.
  • The malware drops supporting files (.pyd and .dll) in the %temp% folder and deletes them after execution.
  • It enumerates running processes and kills those related to network analysis tools to hinder detection before continuing infection.
  • It bypasses a Discord-related defense by replacing api/webhooks with a string “MitsuTheGoat” in BetterDiscord workflows.
  • The stealer collects browser credentials (cookies, usernames, passwords) from Chrome, Edge, Opera GX/Stable, and Firefox, and stores them in cookies.json and passwords.json in AppData.
  • Data from cryptocurrency wallets and other payments (Coinbase, Binance, PayPal) is gathered and sent to a Discord webhook, along with Discord tokens and related account details.
  • The malware replaces a Discord index.js file from a remote GitHub source and restarts Discord to load the malicious code, though the GitHub repo cited was not available.

MITRE Techniques

  • [T1566] Phishing – The phishing site impersonates a genuine AnyDesk website to lure victims into downloading malware. Quote: ‘phishing sites are becoming an increasingly attractive target… impersonating a genuine AnyDesk website.’
  • [T1204] User Execution – The initial infection starts when the user clicks on the “Downloads” button. Quote: ‘The initial infection starts when the user clicks on the “Downloads” button’
  • [T1059] Command and Scripting Interpreter – The stealer was developed in Python and then converted into an executable file. Quote: ‘The stealer was developed in python and then converted into an executable file.’
  • [T1574] DLL Side-Loading – The malware drops Python supporting files (.pyd & .dll) in %temp% and uses them during execution. Quote: ‘drops the python supporting files (.pyd & .dll files)…’
  • [T1055] Process Injection – The malware enumerates running processes and kills those related to network analysis tools before infection. Quote: ‘the malware now enumerates the running processes… If found, it kills the process before starting the infection…”
  • [T1497] Virtualization/Sandbox Evasion – Bypasses defenses by modifying the environment (e.g., BetterDiscord) to hide activity. Quote: ‘bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘MitsuTheGoat’.’
  • [T1003] OS Credential Dumping – The stealer collects usernames, passwords, cookies, and other data from installed browsers. Quote: ‘After collecting the Discord tokens, the malware tries to get the details using the following functions.’
  • [T1082] System Information Discovery – The malware gathers system/browser data to target data theft. Quote: ‘targets the following browsers to steal sensitive information.’
  • [T1083] File and Directory Discovery – It searches browser directories to locate data to exfiltrate. Quote: ‘collects … from the installed browser’s directories.’
  • [T1057] Process Discovery – It enumerates processes to identify targets and to aid staged infection. Quote: ‘enumerates the running processes in user’s machine…’
  • [T1005] Data from Local System – Data from local browsers and wallets is collected and stored for exfiltration. Quote: ‘collects sensitive information, such as usernames, passwords, cookies, auto-fills, and user profiles from the installed browser’s directories.’
  • [T1071] Application Layer Protocol – Exfiltration occurs via Discord webhooks (C2 channel). Quote: ‘send_info() function’ and ‘to a Discord webhook URL’.
  • [T1573] Encrypted Channel – Data is sent to webhooks over the application layer protocol channel (Discord). Quote: ‘to the following webhook URL by using the send_info() function.’

Indicators of Compromise

  • [MD5] Anydesk.exe – a47970f99928d7628ba3fff45c03807f
  • [SHA1] Anydesk.exe – eda41936d93347a920e891f8016dae4562fc29d5
  • [SHA256] Anydesk.exe – 77e2b24779faccc8154b475893633c97d26316a3211a16757f4ddcfcb797098c
  • [IP] Malware distribution IP – 164.92.235.193
  • [URL] Malware distribution site – hxxp://anydesk[.]ml
  • [URL] Discord webhook URL – hxxps://discord[.]com/api/webhooks/999366329641467984/5-e6JL54mjiiJjSUh5ME3LOdQ0VIwhlpQ5WKcll_MpNKGTKBQJqvZCc6eXDMTafe7Tm-
  • [URL] Remote index.js replacement source – hxxps://raw.githubusercontent[.]com/mitsustlr/inject/main/index[.]js
  • [URL] Discord token discovery route – hxxps://discord[.]com/api/v6/users/@me
  • [URL] Discord token billing data route – hxxps://discord[.]com/api/v6/users/@me/billing/payment-sources
  • [URL] Discord relationships route – hxxps://discord[.]com/api/v6/users/@me/relationships
  • [URL] Avatar/file hosting – https://media.discordapp[.]net/attachments/988835185300742258/997093134787944539/ansn[.]png

Read more: https://blog.cyble.com/2022/10/13/mitsu-stealer-distributed-via-anydesk-phishing-site/