A sophisticated new data-exfiltrating malware crafted in the Rust programming language has surfaced, showcasing advanced abilities to retrieve sensitive information from both Chromium-based and Gecko-based web browsers.
The malware, referred to as Myth Stealer, signifies a notable advancement in cybercriminal strategies, merging contemporary programming techniques with traditional social engineering tactics to breach user credentials and financial details.
The malware has been actively propagated since late December 2024 through a coordinated network of deceptive gaming websites and Telegram channels.
Initially presented as a free trial to entice users, Myth Stealer has since shifted to a subscription-based approach, with cybercriminals purchasing weekly and monthly access via cryptocurrency and Razer Gold transactions.
The threat actors responsible for this scheme operate numerous Telegram channels for dissemination, updates, and even customer endorsements, exhibiting a professional standard in cybercrime infrastructure.
.webp)
Trellix analysts detected this fully undetected malware variant during routine proactive threat-hunting efforts, uncovering its intricate design and evasion techniques.
The research team found that the malware targets a broad spectrum of applications, including major browsers like Chrome, Firefox, Edge, Opera, and Brave, alongside communication tools like Discord and various niche browsers utilized worldwide.
The distribution strategy leans heavily on social engineering, with perpetrators masking the malware as authentic gaming software, cheat tools, or beta releases of popular games.
Victims usually encounter the malware embedded in password-protected RAR files, where the password typically adheres to predictable patterns such as the game title appended with “beta” or “alpha.”
In some cases, threat actors have shared malicious links in online forums, even including VirusTotal reports indicating no detections to bolster credibility within gaming circles.
Advanced Infection and Evasion Techniques
The technical intricacy of Myth Stealer surfaces through its multi-layered infection methodology and thorough evasion strategies.
Upon activation, the malware utilizes a loader component that presents convincing fake windows to victims while concurrently decrypting and initiating the actual stealer payload in the background.
.webp)
These deceptive interfaces rely on Rust crates like native-windows-gui, egui, or native_dialog to construct realistic-looking application windows that conceal the malicious activities transpiring behind the scenes.
The stealer component itself is designed as a 64-bit DLL file with intricate anti-analysis features.
Most notably, it applies string obfuscation via the Rust crate obfstr, transforming comprehensible strings into intricate XOR operations that greatly complicate reverse engineering tasks.
The malware also carries out extensive sandbox detection by verifying specific usernames and system files typically linked with analytical environments, promptly ceasing execution if such markers are identified.
For Chromium-based browsers, Myth Stealer employs a particularly astute technique involving remote debugging functionalities.
The malware initiates browser processes with designated parameters such as “–remote-debugging-port=9222”, “–remote-allow-origins=*”, and “–headless” to establish a debugging session, allowing direct access to browser data without conventional file-based extraction methods.
In more recent versions, the malware strives to elevate privileges using the Windows ShellExecuteW API with “runas” parameters, improving its capacity to access protected browser databases.
The persistence strategy showcases equal sophistication, generating a file named “winlnk.exe” in the user’s AppDataRoaming directory while creating custom registry entries that link a counterfeit “.lnkk” file extension with the malware executable.
This method guarantees the malware’s survival through system reboots while keeping a low profile that avoids standard security monitoring focused on typical persistence strategies.
The post New Rust Based InfoStealer Extracts Sensitive Data from Chromium-based Browsers appeared first on Cyber Security News.