Mint-stealer Targeting web browsers, VPN clients & messaging apps to Steal Logins

Mint-Stealer is a Malware-as-a-Service tool designed to exfiltrate sensitive data from compromised systems stealthily and targets a broad spectrum of data, including web credentials, cryptocurrency wallet details, gaming credentials, VPN configurations, messaging app data, and FTP client information. 

Employing encryption and obfuscation, Mint-Stealer evades detection while actively stealing data. Distributed through dedicated websites and supported via Telegram, this malware poses a significant threat to cybersecurity due to its wide-ranging data theft capabilities and evasion techniques. 

Python-based MaaS malware that steals sensitive data from web browsers, cryptocurrency wallets, gaming platforms, VPNs, messaging apps, and FTP clients uses anti-analysis techniques, compresses its payload, and exfiltrates stolen data to free file-sharing services before notifying its C2 server. 

- Advertisement -

Distributed through dedicated websites and Telegram, Mint-Stealer poses a significant threat due to its wide data targeting, ease of access, and evasion capabilities. 

Mint-Stealer, a sophisticated malware-as-a-service, is actively distributed and managed through multiple online platforms, including dedicated websites and Telegram channels. 

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The threat actors behind Mint-Stealer employing evasion techniques like encryption, obfuscation, and unrestricted hosting to maintain persistent operations capable of exfiltrating sensitive data pose a significant threat due to its continuous adaptation and robust infrastructure, emphasizing the need for proactive cybersecurity measures. 

The file, primarily composed of a heavily compressed resource section, exhibits high entropy and a uniform byte distribution, which operates without administrative privileges, leveraging the current user’s permissions. 

Setup.exe extracts a payload from its resource section and creates a temporary directory using a unique combination of ‘onefile’, process ID, and system time, and then writes a new executable, vadimloader.exe, to this directory, populating it with the extracted payload. 

Setup.exe drops supporting files, including Python modules, DLLs, and CA certificates, into the same directory. The unsigned vadimloader.exe, a 64-bit compiled Python executable, serves as the next stage of the Mint-Stealer malware.

Setup.exe acts as a dropper, launching vadimloader.exe, which loads the necessary libraries from the “Temp/onefile_1512_…” directory. In the third stage, vadimloader.exe actively gathers data from web browsers, cryptocurrency wallets, gaming applications, VPN clients, messaging apps, and system information. 

It achieves this by targeting specific applications and services, employing Wmic commands, and continuing PowerShell executions. Finally, the stolen data is compressed into a ZIP archive and hidden within a temporary directory. 

Mint-stealer malware first checks the infected device’s IP address and then exfiltrates sensitive data like browser information, crypto wallet details, and messaging app data by using temporary directories to store the stolen information and encrypting it for secure transfer to free file hosting sites. 

According to Cyfirma, it sends an unencrypted summary of the stolen data along with the download link to its command and control server and also captures clipboard content and system information while actively trying to detect debugging tools. 

Areyou from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access