Mint-stealer Targeting web browsers, VPN clients & messaging apps to Steal Logins

Mint-Stealer is a Malware-as-a-Service tool designed to exfiltrate sensitive data from compromised systems stealthily and targets a broad spectrum of data, including web credentials, cryptocurrency wallet details, gaming credentials, VPN configurations, messaging app data, and FTP client information. 

Employing encryption and obfuscation, Mint-Stealer evades detection while actively stealing data. Distributed through dedicated websites and supported via Telegram, this malware poses a significant threat to cybersecurity due to its wide-ranging data theft capabilities and evasion techniques. 

Python-based MaaS malware that steals sensitive data from web browsers, cryptocurrency wallets, gaming platforms, VPNs, messaging apps, and FTP clients uses anti-analysis techniques, compresses its payload, and exfiltrates stolen data to free file-sharing services before notifying its C2 server. 

command and control (C2) server for the stealer

Distributed through dedicated websites and Telegram, Mint-Stealer poses a significant threat due to its wide data targeting, ease of access, and evasion capabilities. 

Mint-Stealer, a sophisticated malware-as-a-service, is actively distributed and managed through multiple online platforms, including dedicated websites and Telegram channels. 

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The threat actors behind Mint-Stealer employing evasion techniques like encryption, obfuscation, and unrestricted hosting to maintain persistent operations capable of exfiltrating sensitive data pose a significant threat due to its continuous adaptation and robust infrastructure, emphasizing the need for proactive cybersecurity measures. 

The threat actor’s telegram contact

The file, primarily composed of a heavily compressed resource section, exhibits high entropy and a uniform byte distribution, which operates without administrative privileges, leveraging the current user’s permissions. 

Setup.exe extracts a payload from its resource section and creates a temporary directory using a unique combination of ‘onefile’, process ID, and system time, and then writes a new executable, vadimloader.exe, to this directory, populating it with the extracted payload. 

next stage payload

Setup.exe drops supporting files, including Python modules, DLLs, and CA certificates, into the same directory. The unsigned vadimloader.exe, a 64-bit compiled Python executable, serves as the next stage of the Mint-Stealer malware.

Setup.exe acts as a dropper, launching vadimloader.exe, which loads the necessary libraries from the “Temp/onefile_1512_…” directory. In the third stage, vadimloader.exe actively gathers data from web browsers, cryptocurrency wallets, gaming applications, VPN clients, messaging apps, and system information. 

Creating a browser directory to save harvested browser data and Captured browser data

It achieves this by targeting specific applications and services, employing Wmic commands, and continuing PowerShell executions. Finally, the stolen data is compressed into a ZIP archive and hidden within a temporary directory. 

Mint-stealer malware first checks the infected device’s IP address and then exfiltrates sensitive data like browser information, crypto wallet details, and messaging app data by using temporary directories to store the stolen information and encrypting it for secure transfer to free file hosting sites. 

According to Cyfirma, it sends an unencrypted summary of the stolen data along with the download link to its command and control server and also captures clipboard content and system information while actively trying to detect debugging tools. 

Areyou from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

12 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

12 hours ago

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…

12 hours ago

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the start…

12 hours ago

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the…

12 hours ago

APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack…

14 hours ago