Tag: EDR

Summary

Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category.

RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.

This blog provides detailed insights into the different campaigns associated with this newly identified malware, along with a technical analysis of its stealer and ransomware characteristics.
Introduction

During the cybersecurity event Botconf 2023, ThreatLabz unveiled a novel threat category called RAT-as-a-Ransomware in April this year. However, more recently, researchers have identified another hybrid category following a similar approach, now known as Stealer-as-a-Ransomware. This latest discovery of RedEnergy stealer combines silent data theft with encryption to inflict maximum harm and gain control over its victims. It targets multiple industries, including energy utilities, oil, gas, telecom, and machinery. These advancements in malware represent a notable shift and key advancements beyond traditional ransomware attacks.

The sample Stealer-as-a-Ransomware variant analyzed in this case study employs a deceptive FAKEUPDATES campaign to lure in its targets, tricking them into promptly updating their browsers. Once inside the system, this malicious variant stealthily extracts sensitive information and proceeds to encrypt the compromised files. This leaves victims vulnerable to potential data loss, exposure, or even the sale of their valuable data.

This blog offers a comprehensive analysis of various campaigns associated with this emerging threat, shedding light on its operational aspects. Additionally, ThreatLabz provides a detailed technical overview of the malware, aiding in a better understanding of its behavior and potential countermeasures.
Key Takeaways

The key takeaways from this research article are:

Discovery of RedEnergy Stealer: ThreatLabz latest research uncovers a highly sophisticated malware campaign using industries with reputable LinkedIn pages to target victims, including the Philippines Industrial Machinery Manufacturing Company and several organizations in Brazil. The attackers launch the attack on users that click to visit the website from LinkedIn for a compromised company, using multi-stage techniques and disguise the malware as browser updates to deceive users.
Stealer-as-a-Ransomware: the malware analyzed has dual capabilities as both a stealer and ransomware, representing an alarming evolution in ransomware attacks. It employs obfuscation techniques and utilizes HTTPS for command and control communication, making detection and analysis challenging.
Multi-Stage Execution: The malware operates through multiple stages, starting with the execution of disguised malicious executables. It establishes persistence, communicates with DNS servers, and downloads additional payloads from remote locations. Suspicious FTP interactions suggest potential data exfiltration and unauthorized file uploads.
Ransomware Functionality: The malware includes ransomware modules that encrypt user data with the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. It also modifies the desktop.ini file to evade detection and modify file system folder display settings.
Deletion of Shadow Drive Data: In its final stage, the malware deletes shadow drive data and Windows backup plans, reinforcing its ransomware characteristics. It drops a batch file and a ransom note, demanding payment in exchange for file decryption.

By understanding these key takeaways, organizations can enhance their security posture and better protect themselves from RedEnergy stealer and similar types of malware campaigns.
Campaign

Zscaler recently made a significant discovery involving a new and sophisticated threat campaign named RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company, as well as other industries with notable LinkedIn pages. These pages typically contain essential company information and website links, making them attractive targets for cybercriminals.

Fig 1. – LinkedIn page for Philippines Industrial Machinery Manufacturing

The operating mode for this threat campaign involves a deceptive redirection technique. When a user attempts to visit the targeted company's website through their LinkedIn profile, they are unsuspectingly redirected to a malicious website. Once there, they are prompted to install a seemingly legitimate browser update, which is presented as a set of four different browser icons. However, instead of a genuine update, the unsuspecting user unwittingly downloads an executable file known as RedStealer.

Fig 2. – Malicious download site

Interestingly, regardless of which browser icon the user clicks on, they are redirected to the same URL: www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This URL initiates the download of a file called setupbrowser.exe, which is part of the malicious payload.

Fig 3. – Website downloading malicious payload

What makes this threat campaign even more insidious is the use of a deceptive download domain called www[.]igrejaatos2[.]org. This domain serves as a disguise, presenting itself as a ChatGpt site to lure victims into downloading a fake offline version of ChatGpt. However, upon downloading the purported ChatGpt zip file, the victim unknowingly obtains the same malicious executable mentioned earlier.

Fig 4. – Downloading domain luring users to download fake chatgpt tool

It is crucial for individuals and organizations to exercise utmost caution when accessing websites, especially those linked from LinkedIn profiles. Vigilance in verifying the authenticity of browser updates and being wary of unexpected file downloads is paramount to protect against such malicious campaigns.
Additional Campaigns

In addition to the discovery of the threat campaign targeting the Philippines Industrial Machinery Manufacturing Company, Zscaler's thorough campaign search has uncovered several other related campaigns that exploit the FAKEUPDATES tactic. These campaigns exhibit similar characteristics and techniques, indicating a broader coordinated effort by the cybercriminals behind these attacks.

One such campaign involves impersonating a prominent Brazilian telecom company. Like the previously mentioned campaign, this variant directs victims to the same webpage and initiates the download of the identical executable file, www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This indicates that the attackers behind this campaign are reusing their infrastructure and tactics to maximize impact and profits.

Fig 5. – Similar campaign leveraging google search

Furthermore, a well-known Brazilian cosmetics company has also fallen victim to this malicious campaign, experiencing the same type of attack which downloads the same payload. It is evident that the cybercriminals behind these campaigns are targeting organizations across various industries, leveraging their already established reputations and online presence to deceive unsuspecting users.

To gain a deeper understanding of the technical aspects of this malware, let us delve further into its analysis in the sections that follow. By examining the intricacies of the malicious code, security researchers can uncover crucial details about its behavior, functionality, and potential impact on the compromised systems. This information is essential for developing effective countermeasures and mitigating the risks associated with this ongoing threat.
Technical Analysis

The RedEnergy malware under investigation exhibits a dual functionality, acting both as a stealer and a ransomware. This .NET file, intentionally obfuscated by its author, possesses advanced capabilities to evade detection and hinder analysis. To establish communication with its command and control servers, the malware utilizes HTTPS, adding an additional layer of encryption and obfuscation.

Fig 6. – Infection chain

The execution of this malware unfolds in three distinct stages, each serving a specific purpose. Each stage is outlined in the sections below.

Stage 1: Initial Startup

Upon execution, the malicious RedEnergy executable masquerades as part of a legitimate browser update, depicted in Fig. 7 below. It cleverly disguises itself with a legitimate update from one of the various popular browsers, including Google Chrome, Microsoft Edge, Firefox, and Opera, to deceive the user. Notably, looking at the properties of the malicious executable reveals the presence of an invalid certificate, however at surface level this attack hides behind a genuine signed certificate from the user’s browser as shown by the Google example examined in Fig. 8 below. This deceptive tactic aims to instill trust and convince the victim of the authenticity of the update.

Fig 7. – Google updater executing the malicious RedEnergy binary

Fig 8. – Fake certificate

Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files

Dropping Files:

In this stage, the malware drops four files onto the victim's system, shown in Fig. 9 below, precisely within the path %USERPROFILE%AppDataLocalTemp. These dropped files consist of two temporary files and two executables, all following a similar pattern with filenames beginning with "tmp" and four randomly generated hexadecimal characters, followed by the ".exe" extension: tmp[4 random hex characters].exe. Among the executable files, one serves as the malicious payload, while the other disguises itself as the legitimate, digitally signed Google Update. The benign executable possesses the hash value 8911b376a5cd494b1ac5b84545ed2eb2 and is responsible for performing the actual update of Google Chrome, thereby further deceiving the victim. Simultaneously, the malware executes another background process, identified by the MD5 hash cb533957f70b4a7ebb4e8b896b7b656c, which represents the true malicious payload. During execution, this payload displays an inappropriate message on the victim's screen, displayed in Fig. 10 below, most likely as part of the threat actor's intent to cause distress or confusion.

Fig 9. – Dropping malicious file in temp directory

Fig 10. – Display message after executing the binary

Persistence:

Persistence is a critical aspect of malware, enabling it to maintain its presence on an infected system even after rebooting or shutting down. To achieve persistence, the malicious executable stores files in the Windows startup directory. It creates an entry within the start menu (Start MenuProgramsStartup) and initiates an immediate reboot, ensuring that the malware is executed once the system is up and running again. This persistence mechanism guarantees that the malware remains active and continues its malicious operations even after system restarts.

Outgoing Requests:

During the analysis of the malware, researchers utilized Fakenet, a Windows malware analysis tool that simulates network activity, to gain insights into its behavior. Through Fakenet, they discovered that the malicious tmp.exe file established communication with the DNS server 2no.co, depicted in Fig. 11 below. To delve deeper into the network interactions, the widely used packet analysis tool, Wireshark, was employed. This allowed researchers to identify the specific DNS query made by the malicious tmp.exe file, providing crucial information for further investigation, as shown in Fig. 12 below. It was observed that upon establishing a connection with the DNS server, tmp.exe was expected to initiate the download of an executable file from cdn.discord. Unfortunately, during this particular analysis, the Command and Control (CnC) server was unavailable, making it impossible to obtain a sample. However, another sample resembling the final payload was discovered, which had been hosted on the same domain just two days prior to the current analysis.

Fig 11. – Malicious binary communication with CnC server

Fig 12. – Network communication seen via Wireshark

Additionally, suspicious activity involving File Transfer Protocol (FTP) was uncovered during the investigation. A user with the username "alulogrofp" successfully accessed a private system hosted by OVH, a renowned cloud computing company and one of the largest hosting providers globally. The user's credentials were authenticated, granting them access to a restricted directory, which was identified as the root directory ("/"). Notably, UTF-8 encoding was enabled for file transfers, indicating support for international character sets.

Fig 13. – FTP interaction on OVH private system

Within the FTP session, the user navigated to the "/assets/bootstrap/css" directory, following standard directory traversal practices. To ensure efficient and accurate file transfers, the transfer mode was set to binary (8-bit). Subsequently, the server entered passive mode and provided an IP address and port number, indicated by the message "Entering Passive Mode (51,68,11,192,115,132)". By combining the extracted data, the IP address 51.68.11[.]192 was obtained. Further interactions revealed that the user requested a file list using the "NLST" command, resulting in the retrieval of six matching files.

In another session, the client initiated a file retrieval operation using the "RETR" command, specifying the file path as "assets/bootstrap/css/SPP". The server acknowledged the data connection and confirmed the acceptance of the file transfer.

These FTP interactions raised concerns regarding potential data exfiltration, as well as the possibility of uploading files using the same method.

Encrypted Files:

With ransomware modules integrated into the payload, the malware proceeded to encrypt the user's data, appending the ".FACKOFF!" extension to each encrypted file, as shown in Fig. 14 below. This malicious software is specifically designed to lock the user's files, rendering them inaccessible until a ransom is paid. After the encryption process is completed, the user receives a ransom message, demanding payment in exchange for restoring access to their files. Failure to comply with the ransom demands results in the permanent loss of access to the compromised data.

Furthermore, the malicious executable alters the desktop.ini file, which contains configuration settings for the file system folders. By modifying this file, the malware can manipulate how the file system folders are displayed, potentially further concealing its presence and activities on the infected system. This alteration serves as an attempt to mislead the user and impede the detection of the malware's impact on the file system.

Fig 14. – Encrypted files with .FACKOFF! extension

Stage 3: Decryption Routine

The final stage payload is responsible for various actions, including dropping the ransom note and executing multiple commands and stealer functionalities, and for encryption it uses the RijndaelManaged algorithm. Within the payload, numerous functions are named RedEnergy, giving rise to its namesake.

In the second stage, the malware downloads the executable SystemPropertiesProtection.exe via the discord cdn. This leads to the third stage, where the malware executes a series of actions typically associated with ransomware. It begins by deleting data from the shadow drive, effectively removing any potential backups. The malware also targets Windows backup plans, further hindering the user's ability to recover their data. Additionally, a batch file is executed, and a ransom note is dropped, indicating the user's files have been encrypted. Furthermore, the malware possesses stealer capabilities, allowing it to exfiltrate the user's data.

Notably, the Config method, shown in Fig. 15 below, plays a crucial role in decrypting key information. It stores important strings related to the stealer functionality in a dictionary, depicted in Fig. 16, which is used to construct command lines for further operations.

Fig 15. – Config decryption function

Fig 16. – Malware showcasing stealer capabilities

One such decrypted command line, shown in Figure 17, modifies the boot configuration to ignore failures and disables the automatic recovery options in Windows. The payload also drops specific files in the Temp directory, as seen in Figure 18, using it as a camouflage to conceal its malicious intent. Among the files dropped, C.bin serves as a payload, while a batch file contains commands to terminate processes and perform cleanup tasks associated with the payload. Figure 19 illustrates the instructions executed by the batch file.

Fig 17. – Command line executed post decryption

Fig 18. – Dropping supporting files in temp directory

Fig 19. – Content inside batch file

Furthermore, the payload is programmed to delete all volume shadow copies (VSS), the backup catalog, and shadow copies using the Windows Management Instrumentation Command-line (WMIC). The following command lines exemplify this process:

C:WindowsSystem32cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:WindowsSystem32cmd.exe /C wbadmin delete catalog -quiet

Additionally, the payload undergoes a three-stage process to gather antivirus (AV) information. Based on this information, it generates a string that it sends to the Command and Control (CnC) server as a User Agent, as depicted in Figure 20 below. During the analysis, it was observed that the AV detected is Windows Defender. STM, RSM, and RZ likely provide additional information related to Windows Defender.

Lastly, the payload is responsible for dropping the final ransom note, read_it.txt, shown in Figure 21. This note is placed in all the folders where file encryption occurs, serving as a notification to the user that their files have been encrypted and demanding a ransom for their release.

Fig 20. – User Agent built from malicious code storing AV information

Fig 21. – Screenshot of the ransom note
Zscaler Sandbox Coverage

Zscaler's security sandbox actively detects indicators for this threat, helping Zscaler customers defend against such attacks automatically, as shown in Fig. 22 below.

Fig 22. – Zscaler sandbox report

The following threat names are detected by Zscaler's multilayered cloud security platform for identifying malicious payloads: Win32.Downloader.RedEnergyStealer
Conclusion

In conclusion, the analysis of the malware campaign targeting the Philippines Industrial Machinery Manufacturing Company, along with other industries through reputable LinkedIn pages, has revealed a highly sophisticated and multi-stage attack. This campaign involves the distribution of malware disguised as browser updates, leading unsuspecting users to malicious websites where they unknowingly download the RedStealer executable. Notably, similar campaigns have been observed targeting companies in Brazil, highlighting the broad reach of this threat.

The technical analysis of the malware has exposed its dual functionality as both a stealer and ransomware, representing a concerning evolution in the development of ransomware-like attacks. The malware employs obfuscation techniques and leverages HTTPS for command and control communication, making it challenging to detect and analyze. It operates through multiple stages, starting with the execution of the malicious executable masquerading as a browser update. Subsequently, it drops files, establishes persistence, and initiates outgoing requests to communicate with DNS servers and download additional payloads from remote locations.

The discovery of suspicious FTP interactions raises further concerns about potential data exfiltration and unauthorized file uploads. The malware's ransomware modules are responsible for encrypting user data using the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. Additionally, the alteration of the desktop.ini file enhances the malware's ability to evade detection and manipulate file system folder display settings.

The final stage of the malware execution involves the deletion of shadow drive data and Windows backup plans, solidifying its ransomware characteristics. A batch file is executed, and a ransom note is dropped, demanding payment in exchange for decrypting the files. Furthermore, the malware exhibits stealer functionalities, enabling the theft of user data.

Overall, this analysis highlights the evolving and highly sophisticated nature of cyber threats targeting various industries and organizations. It emphasizes the critical importance of implementing robust security measures, fostering user awareness, and ensuring prompt incident response to effectively mitigate the impact of such attacks. By remaining vigilant and implementing comprehensive cybersecurity strategies, businesses can better protect themselves against these malicious campaigns and safeguard their valuable data.

Zscaler's ThreatLabz team remains dedicated to monitoring these threats and sharing their findings with the wider community. It is crucial for individuals and organizations to stay informed and take necessary precautions to defend against malware attacks. This includes regularly updating software, using strong passwords, and exercising caution when encountering suspicious emails or messages. By collectively addressing these challenges, we can enhance the security of our digital landscape and mitigate the risks associated with evolving cyber threats.
MITRE ATT&CK TTP Mapping

ID

Tactic

Technique

T1036

Defense Evasion

Masquerading

T1185

Collection

Browser Session Hijacking

T1070.006

Defense Evasion

Timestomp

T1560

Collection

Archive Collected Data

T1027

Defense Evasion

Obfuscated Files or Information

T1562.001

Defense Evasion

Disable or Modify Tools

Indicators Of Compromise (IOCs)

Main Payload

fb7883d3fd9347debf98122442c2a33e

Downloading Domain

www[.]igrejaatos2[.]org/assets/programs/setupbrowser[.]exe

Dropper Payload

cb533957f70b4a7ebb4e8b896b7b656c

Connecting Domain

2no[.]co

Final Payload

642dbe8b752b0dc735e9422d903e0e97

Read More

MULTI#STORM is a phishing-driven campaign that deploys a Python-based loader to drop multiple RAT payloads over OneDrive links, culminating in Warzone RAT and Quasar RAT infections. The operation uses obfuscated JavaScript, PowerShell payloads, and UAC-bypass …

Read More

Key Points

Mystic Stealer is a new information stealer that was first advertised in April 2023
Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions
The malware also targets cryptocurrency wallets, Steam, and Telegram
The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants
Mystic implements a custom binary protocol that is encrypted with RC4

How do you know when something is in hot demand in the underground economy? The same way you do in the real world – the market becomes flooded. This is the story of information stealers today. "Stealers" are a kind of malware designed to run on an endpoint post-compromise, while their primary features center on the theft of user data. Oftentimes this is credential data, but it can be any data that may have financial value to an adversary; this includes paid online service accounts, cryptocurrency wallets, instant messenger, or email contacts lists, etc. Stealers also bridge the realms of criminal and nation-state focus. Many espionage-focused threat groups operate stealer families for pilfering information from target networks. Credential information can further increase access or penetration into an environment. Demand for compromised credentials to fuel criminal access to user accounts and target networks has resulted in a steady stream of newly developed information-stealing malware, keeping account markets stocked. With the amount of visibility we have at Zscaler, we are accustomed to encountering new threats on a daily basis. Enter Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses. Together with our colleagues at InQuest, we present a deep dive technical analysis of the malware. We also share indicators from an in-depth analysis of the infrastructure footprint of deployed Mystic Stealer controllers and countermeasures for detecting the client in your environment.

Note: the content of this blog is also hosted by InQuest here.
The Data Heist Specialist

Mystic Stealer focuses on data theft, exhibiting capabilities that allow it to pilfer a wide array of information. For starters, it is designed to collect computer information such as the system hostname, user name, and GUID. It also identifies a likely system user geolocation using the locale and keyboard layout. But it doesn't stop there.

Key Mystic Stealer functions include its ability to extract data from web browsers and cryptocurrency wallets. Like many stealers, it collects auto-fill data, browsing history, arbitrary files, cookies, and information related to cryptocurrency wallets. Whether it's Bitcoin, DashCore, Exodus, or any other popular crypto wallet, Mystic Stealer has it covered. Mystic can also steal Telegram and Steam credentials.

Interestingly, the stealer does not require the integration of third-party libraries for decrypting or decoding target credentials. Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system. Instead, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the command & control (C2) server that handles parsing. This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers.

The Mystic Stealer crimeware is implemented in C for the client and Python for the control panel.
Technical Analysis

Looking at the existing releases, it seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion.

In terms of capabilities, it's a fairly standard set of functionality as seen with many stealers today. The malware collects system information which is packaged together for a check-in to the C2 server:

Keyboard layout
Locale
CPU information
Number of CPU processors
Screen dimensions
Computer name
Username
Running processes
System architecture
Operating system version

Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer. Further details on targeted browsers, cryptocurrency plugins, and 2FA apps are available in the appendix.

Depending on a configuration provided by the C2 server, the malware will capture a screenshot of the desktop, which is exfiltrated to the C2 server.

On May 20, the Mystic Stealer seller posted updates that include loader functionality and a persistence capability to forums as shown in Figure 1. Loader refers to the ability to download and execute additional malware payloads. This is reflective of a continuing trend where loaders allow one threat actor to support the distribution of affiliate malware being loaded on compromised devices. This is already a notable risk for many organizations due to the use of malware distribution networks and initial access brokers for the distribution of high-severity payloads like ransomware. It underscores the need to take preventative steps to ensure a security posture that reduces the risk of malware delivery and footholds early on in attack campaigns.

Figure 1. MysticStealer forum post advertising v1.2 update with loader support

As previously noted, there are several anti-analysis and evasion features additionally present in Mystic Stealer:

Binary expiration. The trojan will terminate execution if the running build is older than a specified date. This is likely an execution guardrail that attempts to prevent anti-malware researchers and sandboxes that analyze the sample much later than when it was intended to be distributed or executed on victim machines. Figure 2 shows a Mystic Stealer sample that retrieves the current system time and compares the value to 1685318914 (0x6473ED02), which when converted from an epoch to a timestamp translates to Sun May 28 17:08:34 2023.

Figure 2. Example Mystic Stealer date expiration feature

Anti-virtualization. Mystic Stealer is configurable and some samples contain anti-VM features, detecting hypervisor runtime environments, and avoiding execution. This is helpful for avoiding execution in sandbox environments but it isn't always effective.

Mystic uses the CPUID assembly instruction to detect virtual environments by inspecting the result for specific values that are indicative of virtualization software. In particular, the code checks for the manufacturer ID string (with a length of 12 bytes) for the following values:

“XenVMMXenVMM” (Xen HVM)
“VMwareVMware” (VMware)
“Microsoft Hv” (Microsoft Hyper-V)
“ KVMKVMKVM “ (KVM)
“prl hyperv “ (Parallels)
“VBoxVBoxVBox” (VirtualBox)

This detection code is likely derived from Pafish.

Windows APIs imported by hash. The stealer resolves and dynamically loads Windows APIs using a custom XOR based hashing algorithm represented in the Python snippet shown below:

Note that the constant value (e.g., 0x240CE91) changes between Mystic samples. The malware walks the export tables for the following Windows DLLs and hashes each export name until a match is found:

Kernel32.dll
Advapi32.dll
Kernel32.dll
Gdiplus.dll
Crypt32.dll
User32.dll
Ws2_32.dll
Ole32.dll
Gdi32.dll
Ntdll.dll

Dynamic constant calculation. Constant values in the code are obfuscated and dynamically calculated at runtime. For example, the API hashing algorithm shown above uses the constant 0x240CE91. However, this constant does not directly exist in the code. Instead, the value 0x240CEA6 is present and the code performs an XOR operation with the value 0x37 to produce the actual constant 0x240CE91 as shown in Figure 3.

Figure 3. Example Mystic Stealer constant obfuscation technique

Encrypted binary custom protocol. The client communicates with the C2 server using a custom protocol over TCP, which we discuss in more depth later.

Polymorphic string obfuscation. We identified that the malware obfuscates strings using a library that is very similar to ADVobfuscator. The obfuscator generates code at compile time that builds strings on the stack, which are then decrypted at runtime. The obfuscation is polymorphic, and therefore, every sample will contain strings that are uniquely encrypted with simple mathematical operations such as addition, subtraction, and XOR. As a result, this technique may bypass static antivirus signatures and complicate malware reverse engineering.

The Mystic Stealer seller refers to this obfuscation as a morpher that obfuscates builds with full undetectability (FUD) in sales threads. In one forum, the seller advertised that the project's morpher enabled the bypass of SmartScreen, which members identified as a dubious claim based on the operation of obfuscators and SmartScreen. Some forum users suspected the use of an open-source obfuscator. This ended up as a point of contention in the forum, lowering the perception and trust of the project with some users.
C2 Communication

Mystic Stealer communicates with its command and control (C2) servers using a custom binary protocol over TCP.

The client sends a hello message containing a constant 4 byte value (0x946F19B5) to the C2 server.
The C2 responds with 256 bytes of binary data that is used as an RC4 key for all subsequent communications.
The client obtains the machine GUID from the registry value SOFTWAREMicrosoftCryptographyMachineGuid.
The client encrypts the GUID value (along with this GUID length) using RC4 and sends it to the C2 server.
The format of packets received from the server consists of a 4 byte big endian data size value followed by the data buffer. All data is encrypted with RC4.
The C2 server responds back with a binary configuration of the actions to perform (steal credentials, take screenshots, steal cryptocurrency wallets, etc). This configuration is structured by 1’s and 0’s representing whether to enable or disable a feature, respectively.
Data stolen from the infected system is labeled with specific binary tags that identify the type of information when it is sent to the C2 server.
Unlike most stealers that will harvest data in full and then exfiltrate it to a C2 server with a single request, Mystic Stealer will collect various types of information and immediately send the data to a C2 server on-the-fly without storing or writing data to the disk, which may be detected by EDR/antivirus applications.

The builder enables operators to specify up to four C2 endpoints. This is often used in crimeware to provide resiliency in case some servers are offline or blocklisted. In Mystic Stealer binaries, there are two arrays consisting of 4 DWORDs each that are encrypted with a modified XTEA-based algorithm. Thus, each sample can configure up to 4 IP addresses and ports. A Python-based implementation of the decryption algorithm for Mystic C2s is shown below:

A few generations of the C2 servers seem to utilize a default port of 16287/tcp as seen in Figure 4 of the control panel builder dialog posted in a sales thread on underground forums. We have not observed file samples where this port was utilized for the configured C2 servers. The following C2 ports have been observed in identified samples, providing some clustering by build configurations:

15555/tcp
15556/tcp
13219/tcp

Figure 4. Mystic Stealer control panel builder dialog

C2 server footprint

The stealer has been linked to multiple server-hosting IP addresses across a diverse geographic spectrum, including but not limited to registrations in France, Germany, Russia, the United States, and China. We list C2 servers identified by the hosting panel and C2 callbacks in the appendix. Large commercial hosting provider Hetzner (AS24940) accounts for nearly half of the hosts in addition to a number at OVH (AS16276). However, we also note a number of servers within the Latvian, Bulgarian and Russian hosting spheres. These include:

Aeza Group Ltd (AS210644)
GIR-AS (AS207713)
Partner-AS / LetHost LLC (AS204603)
Scalaxy B.V. (AS58061)
Sukhoi Su-57 LLC (AS46308)
WAICORE-TRANSIT (AS202973)

Some of these providers stand out as potential contenders in the realm of bulletproof hosting, a term that sets off alarm bells in the cybersecurity world. Bulletproof hosting providers are entities that offer services with a particular appeal to individuals and groups engaged in nefarious activities, due to the providers' lax enforcement of legal norms and frequent protection and misdirection efforts that they take on behalf of criminal clientele. These services are often used to host malware, command and control servers, phishing campaigns, and other illicit digital operations. InQuest and Zscaler note a particular tendency of operators of credential stealers and other malware as a service (MaaS) systems to utilize protected backend hosting in the underground services space. This strategy often affords greater capabilities in blocklist avoidance as well as the reduced impact of takedown efforts and law enforcement reach.

The "Grand" cluster

One particular cluster of C2 servers sticks out when searching for hosted control panels. We have labeled this the "Grand" cluster based on WHOIS artifacts seen with some domains. We have included a list of these domains in the appendix. This group of domains is noted to share the following attributes:

Cloudflare nameservers and CDN fronting

Nameservers: meadow, jimmy

Registration details:

Domains registered mid-late 2022
Registrar: Public Domain Registry (PDR Ltd.)
Registrant State/Province: Novosibirskaya oblast
Registrant Country: RU
Registrant: Grand (grand.bbs[@]yandex.ru)

We note that while the majority of domains follow the above registration convention, a few outliers exist. For example, the domain alchemistwallet[.]io is registered with NetEarth One Inc., and one or more domains use different authoritative nameserver pairs (amit, jacqueline; rosalyn, stan). One or more domains were additionally registered in 2023.

Several of these domains were mentioned in a note by FalconFeedsio. We believe that these domains were likely picked up from domain aftermarket resale, a tactic that can yield tangible value for an adversary. Already-registered domains carry established reputation attributes based on past usage, and we note that some of these domains carry reputation scores in various datasets indicating that they had relatively high rankings. For example, looking at gujaratstudy[.]in, we can see that the domain was most recently registered on 2022-10-07. Prior to this date, in 2021, the domain was registered and hosted by a previous owner, with DNS resolution observed through October of 2021. After the new DNS registration by the Grand persona, the domain was initially live via authoritative DNS in regway.com on 2023-10-08, and then migrated to Cloudflare DNS on 2023-10-11. This pattern is fairly consistent through domains in the Grand cluster. Another domain, bhandarapolice[.]org, appears to have previously been used for the official website of an Indian district police department. The domain's category labels on VirusTotal still reflect a positive reputation: government, public information, top-1M. A WHOIS record showing the registration details of a representative domain from this set is available in the appendix.

The following domains and registration dates are samples of some domains found in this cluster:

HANOIGARDEN[.]NET (2022-07-19)
BHANDARAPOLICE[.]ORG (2022-07-20)
ENGTECHJOURNAL[.]ORG (2022-07-20)
MARISOLBLOOMS[.]COM (2022-07-20)
WORDCZARMEDIA[.]COM (2022-08-07)
COLORADOTRUCKIE[.]COM (2022-08-14)
BABYPICTURESULTRASOUND[.]COM (2022-09-08)
SACREDSPACE-SF[.]COM (2022-09-08)
TEAMMSOLUTIONS[.]COM (2022-09-08)
AFRICAHELP[.]ORG (2022-09-13)
BAYSWATERHOLDING[.]COM (2022-09-20)
ASHRAYAKRUTIFOUNDATION[.]ORG (2022-10-07)
GUJARATSTUDY[.]IN (2022-10-07)

The nature of the Grand cluster is not completely known at this time. Until recently, the domains have been live and serving Mystic Stealer control panels as shown in Figure 5 below.

Figure 5. Example Mystic Stealer control panel domains cached in Google Search cache related to the Grand cluster

While possible that they are simply C2 servers, we did not identify file samples associated with them. Recently, many of the sites appear to have gone offline with the upstream CDN reporting connection failures. It may be possible that the domains are part of a traffic distribution or frontend proxy and traffic service.
Control Panel

The Mystic Stealer developers provide a web-based admin control panel as shown in Figure 6.

Figure 6. Mystic Stealer web admin control panel login page

Crimeware control panels allow operators to configure settings and access data collected from deployed malware and typically serve as the interface for criminal users to interact with the software. Common functions include statistics dashboards, malware builders, controlling options and features, credential log and data access, integration configurations, and more. The Mystic Stealer control panel operates out of band on a separate exposed service port than the malware utilizes for C2 communications. The developers utilize the Python Django web framework for the control panel. While not exclusive, the use of Python frameworks in crimeware development, typically dominated by PHP applications, is somewhat rare. As a historical example, another crimeware project implemented on Django was the Nice Pack exploit kit.

The control panel is deployed on a customer's server. The commonly observed service port for deployed panels is 443/tcp. An earlier observed deployment in March 2023 utilized 8005/tcp.

A number of community members have shared information identifying IP addresses of hosting panels. A number of these are also identified and archived on urlscan.io:

2023-03-22 https://urlscan.io/result/535841c6-ea4a-4e8c-85b7-e19bd5ad68e5

Control panel – hXXp://164.132.200[.]171:8005/login/

2023-03-22 https://urlscan.io/result/7b2e16cb-9b66-4192-8b69-98fb89fa12ea/

Control panel – hXXp://164.132.200[.]171:8005/login/

2023-05-02 https://urlscan.io/result/3fdaf5e7-a741-4cb8-8fa9-dedb00b1672b

Control panel – hXXp://135.181.47[.]95/login/

2023-05-02 https://urlscan.io/result/5d326ed9-3bcc-40f3-9fd2-2bdea6fd800f

Control panel – hXXp://95.216.32[.]74/login/

2023-05-04 https://urlscan.io/result/882d8d05-1523-41eb-892f-ba58d6656512/

Control panel – hXXp://185.252.179[.]18/

2023-05-04 https://urlscan.io/result/cc6be796-ee37-4cc4-a37f-c9abb9bf17bc/

Django admin control panel – hXXp://185.252.179[.]18/admin/

2023-05-15 https://urlscan.io/result/16f972cb-adb8-486a-9bff-3bebb673792e/

Control panel – hXXp://212.113.106[.]114/login/

2023-05-25 https://urlscan.io/result/b5224ba6-1b50-42b0-b453-46204ebd1358/

Django admin control panel – hXXp://www.coloradotruckie[.]com/admin/

2023-06-05 https://urlscan.io/result/016de1c6-cb24-4e3a-9ffa-5f8c21edf2c5/

Control panel – hXXp://213.142.147[.]235/login/

Tracking an installation of a control panel for the month of May, we've seen the version of the deployed panel change, likely reflecting upgrades by the customer:

2023-05-03: Mystic Stealer – Login
2023-05-08: Mystic Stealer v1.1 – Login
2023-05-31: Mystic Stealer v1.2 – Login

We also note that the utilized page style is not exclusive to Mystic Stealer, appearing to be borrowed from or relating to a more broadly accessible template seen with other applications. The control panel UI kit appears to be based on Datta Able for Django. We do not believe there is any connection between this project and Mystic Stealer. It is likely that the Mystic Stealer developer is simply using the publicly available open-source UI kit.
Presence on Underground Forums

Mystic Stealer made its public debut on underground forums in late April 2023, several weeks after initial samples were known to surface. A seller named Mystic Stealer joined the WWH (WWH-Club) and BHF (Best Hack Forums, using the name MysticStealer) forums just a couple of days before posting, and, the stealer was listed for rent at a price of $150 per month. The seller later advertised Mystic Stealer on the XSS forum. Information-stealing trojans are a hot commodity in the underground economy, underscoring the level of emphasis the criminal community places on the collection of credentials to drive initial access into target user accounts and network environments. With its comprehensive data collection capabilities, it's no surprise that Mystic Stealer has caught the attention of members of these forums. According to observed advertisements, this seller also operates a Telegram account named @mysticstealer and the channel t[.]me/+ZjiasReCKmo2N2Rk (Mystic Stealer News).
Conclusion

As Mystic Stealer is a new player, it's hard to predict its trajectory. What's clear, however, is that it's a sophisticated threat with the potential for widespread damage. Over the past few weeks, we've observed a fascinating dance of panels appearing and disappearing. Yet, amidst this volatility, a number of these elusive entities have maintained their persistent presence. These patterns could be attributed to a range of factors: perhaps a surge in fresh sales, the relentless pursuit of takedowns, or the unpredictable behavior of the customers themselves.

This was a joint research collaboration between Zscaler ThreatLabz and InQuest. Special thanks to all of those involved from InQuest Labs.
Cloud Sandbox

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels with the following threat names:

Win32.Trojan.Mystic.KV

Appendix

C2 server endpoints observed in recent bot configurations

194.169.175[.]123:13219
185.252.179[.]18:13219
142.132.201[.]228:13219
135.181.47[.]95:13219
94.130.164[.]47:13219
94.23.26[.]20:13219
91.121.118[.]80:13219

Targeted web browsers

Opera
K-Meleon
Mozilla icecat
Mozilla Firefox
Comodo IceDragon
8pecxstudios Cyberfox
NETGATE Technologies BlackHawk
Torch
Chedot
Kometa
liebao
Comodo
Iridium
Vivaldi
Orbitum
K-Melon
Chromium
QIP Surf
Maxthon3
Nichrome
Chromodo
Amigo
7Star
CentBrowser
Mail.Ru Atom
Google Chrome
Coowon
uCozMedia Uran
CocCoc Browser
Microsoft Edge
Sputnik
Elements Browser
360Browser
Epic Privacy Browser
CatalinaGroup Citrio
YandexBrowser
MapleStudio ChromePlus
Brave-Browser
Fenrir Inc Sleipnir5 ChromiumViewer

Targeted MFA and cryptocurrency wallet browser extensions

Extension ID

Browser Extension Name

Ibnejdfjmmkpcnlpebklmnkoeoihofec

TronLink

fhbohimaelbohpjbbldcngcnapndodjp

BinanceChain

ffnbelfdoeiohenkjibnmadjiehjhajb

Yoroi

jbdaocneiiinmjbjlgalhcelgbejmnid

Nifty Wallet

afbcbjpbpfadlkmhmclhkeeodmamcflc

Math Wallet

hnfanknocfeofbddgcijnmhnfnkdnaad

Coinbase Wallet

hpglfhgfnhbgpjdenjgmdgoeiappafln

Guarda

blnieiiffboillknjnepogjhkgnoapac

EQUAL Wallet

cjelfplplebdjjenllpjcblmjkfcffne

Jaxx Liberty

fihkakfobkmkjojpchpfgcmhfjnmnfpi

BitApp Wallet

kncchdigobghenbbaddojjnnaogfppfj

iWallet

amkmjjmmflddogmhpjloimipbofnfjih

Wombat

nlbmnnijcnlegkjjpcfjclmcfggfefdm

MEW CX

nanjmdknhkinifnkgdcggcfnhdaammmj

GuildWallet

nkddgncdjgjfcddamfgcmfnlhccnimig

Saturn Wallet

fnjhmkhhmkbjkkabndcnnogagogbneec

Ronin Wallet

cphhlgmgameodnhkjdmkpanlelnlohao

NeoLine

nhnkbkgjikgcigadomkphalanndcapjk

Clover Wallet

kpfopkelmapcoipemfendmdcghnegimn

Liquality Wallet

aiifbnbfobpmeekipheeijimdpnlpgpp

Terra Station

dmkamcknogkgcdfhhbddcghachkejeap

Keplr

fhmfendgdocmcbmfikdcogofphimnkno

Sollet

cnmamaachppnkjgnildpdmkaakejnhae

Auro Wallet

jojhfeoedkpkglbfimdfabpdfjaoolaf

Polymesh Wallet

flpiciilemghbmfalicajoolhkkenfel

ICONex

nknhiehlklippafakaeklbeglecifhad

Nabox Wallet

hcflpincpppdclinealmandijcmnkbgn

KHC

ookjlbkiijinhpmnjffcofjonbfbgaoc

Temple

mnfifefkajgofkcjkemidiaecocnkjeh

TezBox

lodccjjbdhfakaekdiahmedfbieldgik

DAppPlay

Ijmpgkjfkbfhoebgogflfebnmejmfbml

BitClip

lkcjlnjfpbikmcmbachjpdbijejflpcm

Steem Keychain

nkbihfbeogaeaoehlefnkodbefgpgknn

MetaMask

bcopgchhojmggmffilplmbdicgaihlkp

Hycon Lite Client

klnaejjgbibmhlephnhpmaofohgkpgkd

ZilPay

aeachknmefphepccionboohckonoeemg

Coin98 Wallet

bhghoamapcdpbohphigoooaddinpkbai

Authenticator

dkdedlpgdmmkkfjabffeganieamfklkm

Cyano Wallet

nlgbhdfgdhgbiamfdfmbikcdghidoadd

Byone

onofpnbbkehpmmoabgpcpmigafmmnjhl

Nash Extension

cihmoadaighcejopammfbmddcmdekcje

Leaf Wallet

gaedmjdfmmahhbjefcbgaolhhanlaolb

Authy 2FA

oeljdldpnmdbchonielidgobddffflal

EOS Authenticator

ilgcnhelpchnceeipipijaljkblbcobl

GAuth Authenticator

imloifkgjagghnncjkhggdhalmcnfklk

Trezor Password Manager

infeboajgfhgbjpjbeppbkgnabfdkdaf

OneKey

cgeeodpfagjceefieflmdfphplkenlfk

EVER Wallet

pdadjkfkgcafgbceimcpbkalnfnepbnk

KardiaChain Wallet

acmacodkjbdgmoleebolmdjonilkdbch

Rabby Wallet

bfnaelmomeimhlpmgjnjophhpkkoljpa

Phantom

fhilaheimglignddkjgofkcbgekhenbh

Oxygen – Atomic Crypto Wallet

mgffkfbidihjpoaomajlbgchddlicgpn

Pali Wallet

hmeobnfnfcmdkdcmlblgagmfpfboieaf

XDEFI Wallet

lpfcbjknijpeeillifnkikgncikgfhdo

Nami

dngmlblcodfobpdpecaadgfbcggfjfnm

MultiversX DeFi Wallet

bhhhlbepdkbapadjdnnojkbgioiodbic

Solflare Wallet

jnkelfanjkeadonecabehalmbgpfodjm

Goby

jhgnbkkipaallpehbohjmkbjofjdmeid

SteemKeychain

jnlgamecbpmbajjfhmmmlhejkemejdma

Braavos Smart Wallet

kkpllkodjeloidieedojogacfhpaihoh

Enkrypt: Ethereum, Polkadot & RSK Wallet

mcohilncbfahbmgdjkbpemcciiolgcge

OKX Wallet

gjagmgiddbbciopjhllkdnddhcglnemk

Hashpack

kmhcihpebfmpgmihbkipmjlmmioameka

Eternl

phkbamefinggmakgklpkljjmgibohnba

Pontem Aptos Wallet

lpilbniiabackdjcionkobglmddfbcjo

Keeper Wallet

cjmkndjhnagcfbpiemnkdpomccnjblmj

Finnie

aijcbedoijmgnlmjeegjaglmepbmpkpi

Leap Terra Wallet

fdjamakpfbbddfjaooikfcpapjohcfmg

Dashlane — Password Manager

fooolghllnmhmmndgjiamiiodkpenpbb

NordPass® Password Manager & Digital Vault

pnlccmojcmeohlpggmfnbbiapkmbliob

RoboForm Password Manager

hdokiejnpimakedhajhdlcegeplioahd

LastPass: Free Password Manager

naepdomgkenhinolocfifgehidddafch

Browserpass

bmikpgodpkclnkgmnpphehdgcimmided

MYKI Password Manager & Authenticator

efbglgofoippbgcjepnhiblaibcnclgk

Martian Wallet for Sui & Aptos

Targeted cryptocurrency applications

MyMonero
Exodus
Binance
Raven
Armory
Dogecoin
MultiBit
Bitcoin
DashCore
Electrum
Litecoin
BitcoinGold
WalletWasabi
Atomic
Guarda
Electrum-LTC
MyCrypto
Bisq
DeFi Blockchain
Coinomi
TokenPocket

Network signatures

The following Suricata signatures detect the initial C2 connection key exchange:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Mystic Stealer C2 Client Hello Packet"; flow:established,to_server; flowbits:set, mystic_stealer_conn_init; flowbits:noalert; dsize:4; content:"|b5 19 6f 94|"; fast_pattern; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999990; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Mystic Stealer C2 Session Key Response Packet"; flow:established,to_client; flowbits:isset, mystic_stealer_conn_init; dsize:256; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999991; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;)

Indicators of Compromise

Mystic Stealer C2 servers
Domains observed in the Grand cluster
Grand cluster domain nameservers
Grand domain cluster WHOIS sample

Sample hashes

Hash

Notes

47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7c

Imphash: 8f2649698c183ba2b52e5e425852109d

1367.exe (2023-03-18)

Communicates with 164.132.200[.]171:15555
Size ~234 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
Early build

5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8

Imphash: d6d4965d7fe2d90a52736f0db331f81a

Mystic Stealer (2023-04-28)

Communicates with 94.23.26[.]20:13219
Size ~211 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

acba3311b319a60192be2e29aa8038c863a794be39603a21ee8ee4ccc3ebfca6

Imphash: d6d4965d7fe2d90a52736f0db331f81a

update.exe (2023-05-01)

Communicates with 185.252.179[.]18:13219
Size ~209 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc

Imphash: d6d4965d7fe2d90a52736f0db331f81a

update.exe (2023-05-02)

Communicates with 185.252.179[.]18:13219
Size ~225 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

8592e7e7b89cac6bf4fd675f10cc9ba319abd4aa6eaa00fb0b1c42fb645d3410

Imphash: d6d4965d7fe2d90a52736f0db331f81a

Mystic Stealer (2023-05-04)

Communicates with 185.252.179[.]18:13219
Size ~208 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

45d29afc212f2d0be4e198759c3c152bb8d0730ba20d46764a08503eab0b454f

Imphash: 9cd292d1fac1768b38a49bc6b288c67d

Mystic Stealer (2023-05-07)

Communicates with 135.181.47[.]95:13219
Size ~180 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

30fb52e4bd3c4866a7b6ccedcfa7a3ff25d73440ca022986a6781af669272639

Imphash: 9cd292d1fac1768b38a49bc6b288c67d

qawsed.exe (2023-05-20)

Communicates with 142.132.201[.]228:13219
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]

ce56e45ad63065bf16bf736dccb452c48327803b434e20d58a6fed04f1ce2da9

Imphash: 9cd292d1fac1768b38a49bc6b288c67d

Mystic Stealer (2023-05-22)

Communicates with 94.130.164[.]47:13219
Size ~187 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32

7ab8f9720c5f42b89f4b6feda21e7aa20334ba1230c3aef34b0e6481a3425681

Imphash: 1c8b7141d44e96dcc8c22d3bfdac433c

894d.exe (2023-05-23)

Communicates with 91.121.118[.]80:13219
Size ~249 KB
Compiler: EP:Microsoft Visual C/C++ (2008-2010) [EXE32]
Sample is packed

fc4aa58229b6b2b948325f6630fe640c2527345ecb0e675592885a5fa6d26f03

Imphash: baa93d47220682c04d92f7797d9224ce

Mystic Stealer (2023-05-25)

Communicates with 167.235.34[.]144:13219
Size ~1.79 MB
Sample is packed

References

https://www.broadcom.com/support/security-center/protection-bulletin?#blt6304f750388759f4_en-us
https://twitter.com/Yeti_Sec/status/1638537367567958016
https://twitter.com/sloppy_bear/status/1638713241198030850
https://twitter.com/threatintel/status/1638743922204876800
https://twitter.com/_montysecurity/status/1643164749599834112
https://twitter.com/GroupIB_TI/status/1651199735049469953
https://twitter.com/DailyDarkWeb/status/1652070191285821440
https://twitter.com/FalconFeedsio/status/1653355558605299713
https://twitter.com/0xrb/status/1653364901384003585
https://twitter.com/crocodylii/status/1653761115493486593
https://ioc.exchange/@cstromblad/110310524830937297
https://twitter.com/InQuest/status/1654498173069426691
https://twitter.com/connectraek/status/1656232673243983873
https://www.zerofox.com/blog/underground-economist-volume-3-issue-9/
https://twitter.com/FalconFeedsio/status/1659106113424355328
https://twitter.com/MikyRov/status/1661016035766702091
https://twitter.com/FalconFeedsio/status/1662038253791322112
https://github.com/phish-report/IOK/blob/main/indicators/mystic-stealer-88b6ef2f.yml
https://github.com/montysecurity/C2-Tracker/blob/main/data/Mystic%20Stealer%20IPs.txt
https://www.google.com/search?q=%22Mystic+Stealer%22
https://threatfox.abuse.ch/browse/tag/Mystic/
https://urlscan.io/search/#page.title%3A%22mystic%20stealer%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20-%20%20Login%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20v1.1%20-%20%20Login%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20v1.2%20-%20%20Login%22
https://urlscan.io/search/#hash%3Afaf14cca1e17a7676c15266507219e3319943b19e21287015b9c968f0244fde2
https://urlscan.io/search/#task.tags:%22mystic%22
https://phish.report/IOK/indicators/mystic-stealer-88b6ef2f
https://www.virustotal.com/gui/collection/96ec0e1c018e476d981aa206a657960e5be05cb5383ae5a7fbb274611a9ccdcc/
https://twitter.com/hashtag/mysticstealer?f=live

Analysis resources

https://github.com/Microv/MysticStealer_HashResolver

Read More