• Mon. Mar 4th, 2024

Dark Web’s Mystic Stealer: Evasion & Exfiltration

Avatar photo

ByContent

Jul 13, 2023
Dark Web's Mystic Stealer: Evasion & Exfiltration

Mystic Stealer: Advanced Data Theft and Evasion

Mystic Stealer is a very advanced information thief that targets close to 40 browsers and manages to elude detection using improved coding techniques. To access sensitive data without authorization, it focuses primarily on crypto wallets and other apps. The virus also gathers information about the device, including hostname, username, and geolocation, as well as login credentials from services like Telegram and Steam. It employs a mix of C and Python programming languages and runs independently, without requiring the use of other libraries for decryption. Mystic Stealer uses anti-virtualization methods, communicates with command and control (C2) servers for data transmission, and has capabilities including loader functionality and termination after expiration.

C2 Server Interactions and Evasion Tactics

Mystic Stealer uses a proprietary Python XOR hashing method to dynamically load Windows APIs while obscuring constant values in real time. To evade antivirus detection, the gathered data is marked with binary tags and delivered straight to the C2 server without writing to disk. The virus uses up to four C2 endpoints for offline or blacklisted devices and a decryption technique for safe connection. Mystic Stealer exploits termination upon expiration, checks system time against preset settings, and uses CPUID instructions to identify virtual environments in order to avoid discovery. It looks for particular strings that are connected to virtual software and denote the existence of virtual machines. The detecting code, according to researchers, is developed from Pafish. Mystic Stealer acts covertly and reduces the chance of being discovered and eliminated thanks to these effective evasive techniques.

Data Exfiltration: Mystic Stealer’s Targeted Pilfering

The data exfiltration method used by Mystic Stealer is targeted pilfering. To have the most effect on cyber espionage efforts, it carefully pulls sensitive information from infiltrated computers, such as passwords, browser data, cryptocurrency wallets, and device-related information.