Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
During regular proactive threat hunting, the Advanced research center Trellix identified an entirely not detected infoster Example of Malware written in rust code that targeted games.
After a more in -depth investigation, the Trellix team discovered that it was myth Stealer which was marketed on Telegram since the end of December 2024. Trellix published a report nicknamed “Demysifyifying myth stealer: a Rust Based Infostealer”, written by Niranjan Hegde, Vasantha Lakshean Ambasankar and Adarshs.
Infostators are a type of malware Who infiltrates IT systems and has the functionality of password, cookies, credit information, semi-automatic entry data, navigation history and file download from browsers.
A sample written in Rust means that malware has been written using a specific programming language called “rust” diverging from common programming languages such as C / C ++ in which malware has been written. It is more widely understood and analyzed by researchers and threat defenders.
The advantage of using the “rust” is a maximum platform support in terms of the operating system on which this malware can be executed, potentially expanding exposure to victims.
Myth Stealer is the name of the malware -based software that has been actively promoted on Telegram, offering advanced features that make it very attractive for cybercriminals. The group behind this malicious software does not configure the game sites; Rather, they provide a subscription to malware. The attackers who then subscribe to this particular malicious software are those who configure the game sites.
Initially, it was offered free of charge for a test and then evolved towards a model based on the subscription. The survey revealed that this infosteller is distributed on various fraudulent game websites. During the execution, the malware displays a false window to appear legitimate while deciphering and simultaneously performing a malicious code in the background.
The infostal targets both browsers based on gecko and chrome -based, extracts sensitive data, including passwords, cookies and automatic focus information. It also contains anti-analysis techniques such as ropes obscure and system checks using file names and username.
The Malware authors regularly update the volley code to escape AV detection and introduce additional features such as screenshot and diversion of clipboard.
This message was carried out at the end of December 2024. A telegram channel was used to share updates on the malware of the thief of myth. An organized team probably developed and maintained it, depending on the activity in the channel.
After Telegram stopped the initial canal, the operators created a new group to continue sharing updates of malware. They regularly announce new versions of this group, focusing on zero detection rates on virustotal. Users must rebuild malware to integrate the latest updates in their versions.
Currently, malware is offered on a weekly and monthly subscription basis. It can be purchased using cryptocurrency and razer gold. In addition, they maintained a separate channel entitled “Myth Voriches & Marketplace”, where the users of this thief provide testimonies and announce the sale of compromise accounts obtained using this thief. It is currently closed by Telegram.
In another case, we discovered an actor who had published a link to a malicious rar file in an online forum under the cover of cheat software called “DDTRACE KRX Ultimate Crack”. To establish credibility within the forum community, the actor provided a virustotal link which has shown no detection at that time.
Myth Stealer presented as a cracking of a game cheating software in an online forum. Capacities according to our survey, malware has evolved over a period of time. Initially, when distributed as a free trial version, it only stole data from applications.
When it went to a subscription-based model, it was sold with additional features such as displaying a false window, taking screenshots, diversion of paperweights, etc. The team behind this malware continues to refactor and update the code to ensure that malware has no detection in Virustotal.
These updates include modification of the libraries used to display a false window, updating communication with the C2 server, etc. In the following sections, the researchers detailed various features shown by malware through its different versions.
Currently, malware is a sample of 64 bits written in rust containing a charger which deciphers and executes the component of the thief. Loader with a false window once the malware is downloaded and successfully executed in the victim’s machine, the charger displays a false window to the user.
These false windows are used to deceive the victim thinking that a legitimate application is executed. He uses the rust body: native-Windows-Gui or Egui or Native_Dailog to create and display the false window.
Some of the false windows displayed by the charger. While the false window is shown to the victim, the charger decrypts the thief’s component using Xor or AES encryption, using the included rust box. In recent versions, the charger uses a personalized algorithm to decipher the thief’s component.
Conclusion
The newly emerged rust infosaler, myth stealer, continues to evolve through its versions, which gradually makes more difficult for the final point solutions to detect. Its use of the obscure of strings, stealth C2 communication and features like a false window reflect the advanced escape techniques of threat actors.
The coherent development and improvement of the thief of myths underline the determination of the attackers to keep one step ahead of the security defenses, posing a serious and persistent risk for users, especially the players targeted by web websites.
