Threat Research

Mint Stealer: An In-Depth Analysis of a Python-Driven Information Theft Tool – CYFIRMA

Cyfirma

Cyfirma provides an in-depth look at Mint Stealer, a Python-driven information-stealing tool marketed as malware-as-a-service (MaaS) that exfiltrates sensitive data from compromised systems while employing evasion techniques. The report covers Mint Stealer’s targets, delivery method, evasion strategies, C2 communications, and defense recommendations. #MintStealer #MaaS

Keypoints

  • Mint Stealer is a potent MaaS tool designed to covertly exfiltrate sensitive data.
  • Targets include web browsers, cryptocurrency wallets, gaming credentials, VPN clients, messaging apps, and FTP client data.
  • Sold through dedicated websites with support via Telegram.
  • Utilizes the Nuitka Python compiler and employs encryption and obfuscation techniques.
  • Acts as a dropper, hiding its main payload in a compressed form within the resource section of the executable.
  • Checks for debuggers and analysis tools to evade detection.
  • Uploads stolen data to free file-sharing sites and communicates with a command-and-control server.

MITRE Techniques

  • [T1592] Gather Victim Host Information – Collects information about the compromised host. “Mint-stealer begins collecting data from the infected system, including web browser data, cryptocurrency wallet information…”
  • [T1204.002] Malicious File – Executes malicious files to initiate the attack. “In the second stage, Setup.exe executes vadimloader.exe as a child process…”
  • [T1622] Debugger Evasion – Avoids detection by checking for debugging tools. “Checks for debuggers and analysis tools running in the environment.”
  • [T1497] Virtualization/Sandbox Evasion – Employs techniques to evade virtualized environments. “Employs techniques to evade virtualized environments.”
  • [T1140] Deobfuscate/Decode Files or Information – Decodes or deobfuscates data to facilitate its execution. “Decodes or deobfuscates data to facilitate its execution.”
  • [T1083] File and Directory Discovery – Identifies files and directories on the compromised system. “Identifies files and directories on the compromised system.”
  • [T1071.001] Web Protocols – Utilizes web protocols for command and control communication. “Utilizes web protocols for command and control communication.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data through the command and control channel. “Exfiltrates data through the command and control channel.”

Indicators of Compromise

  • [File] Setup.exe – e6e620e5cac01f73d0243dc9cf684193, 1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa
  • [File] vadimloader.exe – 9f037593071344bc1354e5a619f914f4, db47e673cccdbe2abb11cc07997aeabf4d2bdc9bec286674b58c6baafa09b823
  • [Domain] mint-c2.top – C2
  • [Domain] mint-stealer.top – C2
  • [URL] mint-c2.top/api/won – Exfiltration
  • [URL] mint-c2.top/api/injection – Exfiltration
  • [IP address] 188.114.96.3 – C2
  • [IP address] 94.156.79.162 – C2
  • [Domain] cashout.pw – C2

Read more: https://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint