Identifying Mystic Stealer Control Panels
Towards the middle of June 2023, Zscaler and other security researchers released reports about a new information stealer called Mystic Stealer that has appeared on the underground market. According to information shared by Bleeping Computer, access to use the information stealer is being sold on a subscription basis where users can pay $150 for one month or $390 for a quarter.
This blog will go over how to identify additional control panels for Mystic Stealer. While we only look at Mystic Stealer in this case, the process can be replicated and expanded upon to find network infrastructure for different malware families. For two other excellent examples of similar investigations, check out research by @embee_research and Michael Koczwara.
Mystic Stealer Control Panel Login Page
The control panel allows operators of the information stealer to view the collected data, update settings and interact with the malware. The control panel allows operators to set the C2 IP address and port combinations that will be used by the malware and enable additional features such as anti-VM checks (Zscaler). Zscaler identified several control panels that will serve as an initial data point that we can use to find unique indicators that allow for pivoting.
Our Investigative Process
Before starting to pivot to other tools to find additional Mystic Stealer control panels, we first need to determine unique identifiers that will aid us in the investigative process. Unique identifiers are elements of the web pages or its content that are distinctly associated with the malware and not other web pages. These items can include:
- Favicons
- Page titles
- SSL certificate data such common names, or leaf certificate fingerprints
- DOM elements
- HTTP headers and responses
- JA3S hash
- JARM fingerprint
While individually each parameter might return many results or generate false positives, by leveraging multiple parameters we may be able to identify additional network infrastructure. Once we have some items to pivot from, we can query different search engines to gather additional results. The tools discussed in this blog include:
To identify parameters that can be used to pivot from, we start by looking at the Mystic Stealer control panel identified in the Zscaler blog - hxxp[://]164[.]132[.]200[.]171:8005/login/?next=/. This indicator was submitted to urlscan which we can use to review elements such as titles and DOM elements.
Switching over to the DOM representation of the web page in urlscan shows that the web page title is Mystic Stealer - Login (Figure 2). This title can be used to search other tools to find additional web pages with the same title.
Using the title identified from urlscan and switching over to Shodan, we can then identify additional results using the query http.title:”Mystic Stealer”. As of July 18th 2023 14:30 EST, this query returned 20 results. We discovered that the favicon shown in Figure 3 was a common attribute across all the results.
Binary Edge is another tool similar to Shodan, returning only 16 results as shown in the screenshot below.
Since our Shodan search revealed that all the panels have the same favicon, we can perform additional searches based on the favicon. The favicon hash is calculated and present within the raw data table in Shodan.
Twitter user @0x_99796618 was able to identify 67 panels by taking the favicon hash identified in Shodan and running the same query in FOFA according to a tweet they shared (Figure 6).
Note: some of the tools above may not provide all the details to users that do not have an account on the platform. For example, to use Shodan search filters, a user needs to be logged into the platform. Similarly, Binary edge does not allow unauthenticated search and urlscan will provide a list of similar domains only if a user is logged into the platform.
Conclusion
The process described in this blog can be used to identify additional network infrastructure associated with malware variants. In our case, we were able to determine over 30 additional control panels from the few identified in the Zscaler blog.
Each investigation is different, and there are a few pivot paths that did not yield interesting results in this specific research, but could in others. For example, the few domains that used SSL did not have any common elements in their certificates that we can use to pivot off; if there were, that would be an additional data point to aid our investigation. Michael Koczwara’s blog provides a great example of using JARM fingerprints to find additional malicious infrastructure.
The benefit of proactive searching for malicious infrastructure is that it may lead to newly setup infrastructure that can be marked as malicious and shared with the community. These shared indicators of compromise support timely detection and help responders during an investigation. For a complete list of indicators and the queries used in this blog, check out the tables below.
Indicators of Compromise
The table below contains a list of all the Mystic Stealer Console Panels that have been identified. This data can be queried in Pulsedive using the Explore query threat="Mystic Stealer". This data is available for export in multiple formats (CSV, STIX 2.1, JSON).
http://167[.]235[.]34[.]144/login/ | http://185[.]141[.]61[.]245/login/ |
http://194[.]50[.]153[.]21/login/ | http://188[.]40[.]116[.]251/login/ |
http://212[.]113[.]106[.]114/login/ | http://194[.]169[.]175[.]123/login/ |
http://213[.]142[.]147[.]235/login/ | http://107[.]174[.]205[.]124/login/ |
http://116[.]202[.]233[.]49/login/ | http://5[.]42[.]94[.]125/login/ |
http://94[.]130[.]21[.]238/login/ | http://5[.]75[.]183[.]169/login/ |
http://94[.]130[.]216[.]165/login/ | http://1218[.]rbx[.]abcvg[.]ovh/login/ |
http://94[.]23[.]17[.]222/login/ | http://65[.]21[.]106[.]190/login/ |
http://138[.]201[.]88[.]153/login/ | http://95[.]216[.]32[.]74/login/ |
http://89[.]23[.]107[.]241/login/ | http://142[.]132[.]201[.]228/login/ |
http://static[.]144[.]34[.]235[.]167[.]clients[.]your-server[.]de/login/ | http://91[.]121[.]118[.]80/login/ |
http://94[.]130[.]164[.]47/login/ | http://156[.]rbx[.]abcvg[.]ovh/login/ |
http://static[.]153[.]88[.]201[.]138[.]clients[.]your-server[.]de/login/ | http://94[.]130[.]165[.]48/login/ |
http://static[.]165[.]216[.]130[.]94[.]clients[.]your-server[.]de/login/ | http://static[.]238[.]21[.]130[.]94[.]clients[.]your-server[.]de/login/ |
http://static[.]169[.]183[.]75[.]5[.]clients[.]your-server[.]de/login/ | http://static[.]251[.]116[.]40[.]188[.]clients[.]your-server[.]de/login/ |
http://static[.]47[.]164[.]130[.]94[.]clients[.]your-server[.]de/login/ | http://static[.]190[.]106[.]21[.]65[.]clients[.]your-server[.]de/login/ |
http://static[.]48[.]165[.]130[.]94[.]clients[.]your-server[.]de/login/ | http://static[.]228[.]201[.]132[.]142[.]clients[.]your-server[.]de/login/ |
http://static[.]49[.]233[.]202[.]116[.]clients[.]your-server[.]de/login/ | http://static[.]74[.]32[.]216[.]95[.]clients[.]your-server[.]de/login/ |
https://www[.]coloradotruckie[.]com/login/ | http://byggmastarn[.]nu/login/ |
http://164[.]132[.]200[.]171:8005/login/ | http://109[.]248[.]206[.]137[.]yadc[.]ru/login/ |
http://109[.]248[.]206[.]137/login/ | http://185[.]252[.]179[.]18/login/ |
http://135[.]181[.]47[.]95/login/ | http://193[.]233[.]48[.]167/login/ |
http://142[.]93[.]11[.]96/login/ | http://727[.]gra[.]abcvg[.]ovh:8005/login/ |
http://34[.]88[.]245[.]41/login/ | http://79[.]137[.]206[.]141/login/ |
http://byggmastarniskane[.]se/login/ | http://41[.]245[.]88[.]34[.]bc[.]googleusercontent[.]com/login/ |
http://934[.]gra[.]abcvg[.]ovh/login/ | http://43[.]154[.]7[.]225/login/ |
http://5[.]188[.]87[.]45/login/ | http://5[.]196[.]93[.]222/login/ |
http://64[.]52[.]80[.]55/login/ | https://africahelp[.]org/login/ |
https://gujaratstudy[.]in/login/ | http://www[.]babypicturesultrasound[.]com/login/ |
http://193[.]233[.]48[.]132/login/ | http://teammsolutions[.]com/login/ |
Queries/Search Filters Used
Tool | Query |
Shodan | http.title:”Mystic Stealer” |
http.favicon.hash:-442056565 | |
Binary Edge | web.title:"Mystic Stealer" |
Fofa | icon_hash="-442056565" |
title="Mystic Stealer" | |
urlscan | page.title:"Mystic Stealer" && page.url:"/login/?next=/" |
References
https://www.zscaler.com/blogs/security-research/mystic-stealer
https://urlscan.io/result/535841c6-ea4a-4e8c-85b7-e19bd5ad68e5#summary