Keypoints
- Mystic Stealer switched from a custom encrypted binary TCP protocol to HTTP POST requests with Base64-encoded payloads to communicate with C2 servers.
- The binary contains an expiration check; C2 decryption (custom XTEA layer) is deferred until after the time check to avoid leaking C2s in memory prematurely.
- The malware registers with C2 via Base64 “hwid” and “build” fields and receives a 64-byte session token plus binary flags that drive actions like screenshots and theft tasks.
- Mystic requests target lists (chromium-browsers, gecko-browsers, extensions, files) from C2, downloads a legitimate sqlite3.dll to parse browser DBs, and exfiltrates extracted files using multipart/form-data POSTs.
- A “loader” command instructs the bot to download one or more Base64-encoded executables (second-stage payloads) which are then executed; examples of distributed families include RedLine, DarkGate, and GCleaner.
- Strings in some debug builds reveal plaintext paths and development artifacts, indicating active, evolving development and testing of features such as file grabbers and loaders.
MITRE Techniques
- [T1071.001] Web Protocols – C2 and command exchange moved to HTTP POST requests: (‘POST /loghub/master HTTP/1.1’)
- [T1041] Exfiltration Over C2 Channel – Stolen files and browser data are sent in multipart/form-data POSTs with Base64-encoded content: (‘BASE64(<content of example.txt>)’)
- [T1113] Screen Capture – Bot can capture and exfiltrate screenshots when enabled by server flags: (‘Screenshot.jpeg’)
- [T1005] Data from Local System – Mystic collects local files including browser databases and cryptocurrency wallet files: (‘Wallets/Bitcoin Core|%appdata%Bitcoinwallets|wallet.dat’)
- [T1105] Ingress Tool Transfer – Downloader retrieves helper components and payloads (e.g., sqlite3.dll and Base64-encoded executables) from C2: (‘BASE64(OK BASE64(<sqlite3 file>))’)
- [T1053] Scheduled Task/Job – References to creating scheduled tasks suggest persistence capabilities: (‘/c schtasks /create /F /sc minute /mo 15 /tr “%ls” /tn “WindowsAppPool%ls”‘)
Indicators of Compromise
- [File Hash] Mystic sample hashes observed – 6203249bebf7248535ff5ef70a7c5a57, 7eb8617d09f204dd40541a000f98810 (from Zscaler table)
- [C2 server IP/URL] Command-and-control endpoints – hxxp://171.22.28[.]235/loghub/master, hxxp://194.87.31[.]123/loghub/master (used for POST /loghub/master)
- [File Name] Downloaded/helper files and artefacts – sqlite3.dll (downloaded from C2 to parse DBs), SystemInformation.txt (posted to C2 with system details)
- [File Name] Exfiltrated file examples – Cookies/Microsoft_Edge_Default.txt, Gecko/Firefox/<profile>.default/key4.db (sent in multipart/form-data)
The Mystic Stealer binary performs a date-based execution check and defers decryption of embedded C2 configuration (a custom XTEA layer) until after the expiration check to reduce in-memory exposure of C2s. After decryption the C2 list contains HTTP endpoints and an obfuscated path string scheme; communications are plain HTTP multipart/form-data POSTs where fields (e.g., hwid, build, msg, filename, file, token) carry Base64-encoded values. Initial registration sends Base64(hwid) and Base64(build) and the server responds with a session token (64-byte hex string) plus binary flags that control actions (screenshots, browser/wallet theft, files grabber, loader), and the bot reports system info in SystemInformation.txt.
Mystic queries C2 for specific target lists by sending msg values such as Base64(“chromium-browsers”), Base64(“gecko-browsers”), Base64(“extensions”), or Base64(“files”); the server returns delimited configuration strings listing browser names and local profile paths, extension names and IDs, or file/directory masks and recursion flags. To parse browser SQLite databases the bot requests a legitimate sqlite3.dll from C2 (response: Base64-encoded DLL) and uses it to extract cookies, logins, history, certificates, and other DB contents, which are exfiltrated as Base64 multipart/form-data entries (filename + file + token). If configured, Mystic captures screenshots (Screenshot.jpeg) and includes them in the same upload format.
The loader functionality allows Mystic to request additional payloads via msg=Base64(“loader”); the server replies with an OK packet containing one or more Base64-encoded executables in a delimited sequence (e.g., |1|BASE64(exe1)|…), which the bot decodes and executes. Post-execution it posts a “loadercode” message. Debug builds contain plaintext strings and absolute source paths revealing components like chromiumbrowsers.cpp, geckobrowsers.cpp, filesgrabber.cpp, and stealerloader.cpp, indicating active development and feature testing. Read more: https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited