A new, “potent” brand of information-stealing malware is catching the attention of cybersecurity researchers around the world who seem to be in agreement over its level of ingenuity and potential to wreak havoc in the online world. The Mystic Stealer malware-as-a-service (MaaS) debuted on various hacking forums and darknet markets in April of this year at a price of $150 per month or $390 per quarter and has already undergone significant upgrades by its developers.
Mystic Stealer is capable of targeting every version of Windows and can collect data from 30 different web browsers, 70 cryptocurrency extensions, several cryptocurrency wallets, Microsoft Outlook, authenticators such as Gauth and Authy, and password managers. It has also received numerous positive reviews from hacking experts on various forums while being deemed a “significant threat” by cyberintelligence experts.
Ad for an updated Mystic Stealer appearing on a hacker forum.
The malware is undetected by most anti-virus scanners as it runs in memory, and unlike similar information stealers, it does not require integration of third-party libraries for decrypting stolen credentials. The data is simply transferred to another server where it is parsed and decoded before being passed on to its rental client, which keeps its footprint small and less subject to anti-virus analysis. According to data provided by the Mystic Stealer Telegram channel, it is detected by only 2 of 26 anti-virus scanners according to Scantime.
In addition to collecting basic information about an infected computer, Mystic Stealer can also capture browser history, auto-fill data, cookies, bookmarks, and stored credentials. Additionally, it can take desktop screenshots of infected computers. After a target computer has been infected, the service purchaser has the option to send additional malware payloads and execute them, as well.
Researchers at Zscaler, who performed an in-depth analysis of the malware, conclude that Mystic Stealer is a “sophisticated threat with the potential for widespread damage,” noting that they have already detected registrations of the MaaS in the US, Russia, China, Germany, and France. They have also detected a “grand cluster” of servers related to the service in Russia, which appears to be its country of origin.