As you might expect from a piece of malware with this much potential, the developers put in the time and effort to resist most static analysis and many forms of dynamic analysis. Some of the methods in use are polymorphic string obfuscation, hash-based import resolution, and runtime calculation restraints on top of RC4 encryption. To add to the fun Mystic Stealer is also Malware as a Service. Yup, you can rent access to this little fun toy for about $150 per month… well you could when the developer started advertising it back in April.
In May the malware received an update which added to its already feature packed offering. This was the inclusion of a dropper like component which allows Mystic Stealer to retrieve and execute other payloads from its C2 servers. The communication with the C2 serves is through the use of a custom binary protocol. Researchers at InQuest and Zscaler have identified around 50 C2 servers in use as of this writing. The control panel (which was developed in Python), seems to be the interface for buyers to access the data from their individual campaigns.
Information stealers are not new in information security. They have been around for a very long time. However, there has been an increase in demand for information stealers on the darker side of the internet. There has also been an increase in functionality of most information stealers like has been identified in Mystic Stealer. These new forms of stealer malware are also often being pushed out at an affordable price which will facilitate the creation of even more threat groups. Much like Ransomware as a Service with great payouts offering information stealing malware with functionality to drop follow on payloads will expand the threat landscape by granting access to sophisticated tools to just about anyone. This muddies the water even more at a time when organizations are cutting security staff and looking to reduce their security spending (while paying more to office space). Identification and defense against this new and expanded threat pool is going to become more and more complicated.
Mystic Stealer, with its anti-analysis and evasion features, is a great example of how the landscape is changing much faster than organizations can adapt. Even leading security vendors are going to be father behind attackers as attackers are changing the game on them again. After all, attackers only need to be right once, defenders need to be right all the time. As more and more groups are enabled with advanced tools the likelihood of a successful attack also increases. Zscaler has a list of IOC that can be added to existing protections to help identify and prevent the currently identified versions of Mystic Stealer.
What a time to be alive.