Friday, December 6, 2024
Homecyber securityMint-stealer Targeting web browsers, VPN clients & messaging apps to Steal Logins

Mint-stealer Targeting web browsers, VPN clients & messaging apps to Steal Logins

Published on

SIEM as a Service

Mint-Stealer is a Malware-as-a-Service tool designed to exfiltrate sensitive data from compromised systems stealthily and targets a broad spectrum of data, including web credentials, cryptocurrency wallet details, gaming credentials, VPN configurations, messaging app data, and FTP client information. 

Employing encryption and obfuscation, Mint-Stealer evades detection while actively stealing data. Distributed through dedicated websites and supported via Telegram, this malware poses a significant threat to cybersecurity due to its wide-ranging data theft capabilities and evasion techniques. 

Python-based MaaS malware that steals sensitive data from web browsers, cryptocurrency wallets, gaming platforms, VPNs, messaging apps, and FTP clients uses anti-analysis techniques, compresses its payload, and exfiltrates stolen data to free file-sharing services before notifying its C2 server. 

- Advertisement - SIEM as a Service
command and control (C2) server for the stealer
command and control (C2) server for the stealer

Distributed through dedicated websites and Telegram, Mint-Stealer poses a significant threat due to its wide data targeting, ease of access, and evasion capabilities. 

Mint-Stealer, a sophisticated malware-as-a-service, is actively distributed and managed through multiple online platforms, including dedicated websites and Telegram channels. 

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The threat actors behind Mint-Stealer employing evasion techniques like encryption, obfuscation, and unrestricted hosting to maintain persistent operations capable of exfiltrating sensitive data pose a significant threat due to its continuous adaptation and robust infrastructure, emphasizing the need for proactive cybersecurity measures. 

Threat actor’s telegram contact
The threat actor’s telegram contact

The file, primarily composed of a heavily compressed resource section, exhibits high entropy and a uniform byte distribution, which operates without administrative privileges, leveraging the current user’s permissions. 

Setup.exe extracts a payload from its resource section and creates a temporary directory using a unique combination of ‘onefile’, process ID, and system time, and then writes a new executable, vadimloader.exe, to this directory, populating it with the extracted payload. 

next stage payload
next stage payload

Setup.exe drops supporting files, including Python modules, DLLs, and CA certificates, into the same directory. The unsigned vadimloader.exe, a 64-bit compiled Python executable, serves as the next stage of the Mint-Stealer malware.

Setup.exe acts as a dropper, launching vadimloader.exe, which loads the necessary libraries from the “Temp/onefile_1512_…” directory. In the third stage, vadimloader.exe actively gathers data from web browsers, cryptocurrency wallets, gaming applications, VPN clients, messaging apps, and system information. 

Creating a browser directory to save harvested browser data and Captured bowser data
Creating a browser directory to save harvested browser data and Captured browser data

It achieves this by targeting specific applications and services, employing Wmic commands, and continuing PowerShell executions. Finally, the stolen data is compressed into a ZIP archive and hidden within a temporary directory. 

Mint-stealer malware first checks the infected device’s IP address and then exfiltrates sensitive data like browser information, crypto wallet details, and messaging app data by using temporary directories to store the stolen information and encrypting it for secure transfer to free file hosting sites. 

According to Cyfirma, it sends an unencrypted summary of the stolen data along with the download link to its command and control server and also captures clipboard content and system information while actively trying to detect debugging tools. 

Areyou from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...