MINT STEALER: Running by a BulletProof Hoster

Infostealers are everywhere, which always acts as the anchor point for the larger Hacking Campaigns and Digital Espionage Activities. This involves Account Takeover to Ransomware Attacks.

Representation of a Cyber Threat Actor | Credit: Self-Gen AI

This is NOT a technical deep-dive into Mint Stealer, as reversing reports are available.

Here is the table of Contents present in this Research Article:-

1. INTRODUCTION
2. MODUS OPERANDI
3. HISTORY - TRACING TIMELINE
4. WHO'S BEHIND?
5. OFFENSIVE SERVICES OFFERED: ARTEM

    5.1 CASH HOSTING
    5.2 CASHOUT
    5.3 CASH RANSOMWARE
    5.4 CASH RAT
    5.5 AMAIL HOSTING

6. MINT STEALER: SHALLOW CODE ANALYSIS 
7. STEALER LOG ANALYSIS
8. ATTACK MATRIX
9. CONCLUSION
10. IOCs

INTRODUCTION

Mint Stealer is a Python Stealer which generally keeps a low-profile without gaining much attention. It is capable to harvest sensitive information from a victims’ machine upon infection.

Mint Stealer Advertisement

It is capable to steal credentials from Browsers including:-

Chromium ( Chrome, Brave, Yandex)
Gecko ( Firefox, Waterfox)
Opera (Opera GX, Opera)
Passwords
Cookies at Netscape format (importable in quick cookie editor )
Auto Fills
Credit Cards
Browse History
Downloads
Bookmarks

This stealer claimed to be FUD (Fully Undetectable) shipped with AntiVM and AntiDebug features at a starting price of $20/week (which was $8) on various underground markets and dedicated site of Mint Stealer directly.

Popular games such as: Minecraft, Growtopia, Roblox, BattleNet and Steam are also targeted by Mint Stealer.

File Managing programs such as:-

FilleZilla
Shadow
WinSCP
Total Commander

are being supported by Mint Stealer, hence providing a convenient usage to the threat actors to manage all the infiltrated files easily.

Supported VPNs include Proton and OpenVPN with mail client support with Thunderbird.

MODUS OPERANDI

Mint Stealer is spread by disguising legitimate filenames such as:-

vadimloader
vadimloader.exe
Update.exe
awata.zip
EMV2X
EMV2X.exe
axplong.exe
awata
awata.exe
loadder
loadder.exe
87fb2.exe
loadder.bin
2024–06–29_4629bd8e5e8cfe7256d1505e444c7db8_ryuk
2024–06–24_e6e620e5cac01f73d0243dc9cf684193_ryuk
2024–06–28_ac449f08bd7edcecabfbf7c1231c02e8_ryuk

From the above list, the most frequently used filename is: Update.exe. This is usually being spread via Phishing to corporate networks or targeted individually.

To gain more attraction, the group also posts stealer logs obtained from Mint Stealer on private platforms such as:-

Shared Mint Stealer Logs as a Proof

This creates a sense of positive impression among the community and urges them to give a try for their malicious activities.

Internal panel of the Mint Stealer looks like this:-

Mint Panel

This provides a cleaner UI for easier management of infected victims.

To reach a wider audience, the threat actor also promotes this stealer on various underground hacking forums such as Nulled.

HISTORY — TRACING TIMELINE

Mint Stealer has been in development since December 2022 but became active in June 2023.

Hence, we can classify it into 2 timelines, primarily 2023 & 2024 campaigns, (as different domains were observed during this time frame).

MINT STEALER 2023
=================
Date: 29th September 2023
MD5: 3832f42b8a1655a1ff2cce00aec7435b
Domain: mint-stl.ru
Domain Registration: 22nd August, 2023

However, this domain became inactive and threat actor registered 2 new domains in June 2024 (recently); which is currently active.

Hence, another new sample of Mint Stealer is found

MINT STEALER 2024
=================
Date: 23rd June 2024
MD5: e6e620e5cac01f73d0243dc9cf684193
Domain: mint-c2.top
Domain Registration: 7th June, 2024

For an easier view, I will be jotting down the timeline at a glance for a quicker overview:-

WHO’S BEHIND?

Mint Stealer is offered/moderated by a Telegram Handle Artem who runs a Bulletproof Hosting Service called Cash Hosting (Cashout.pw and Cash-Hosting.pw) since May 2023; which mainly services in Russia.

Telegram Profile of Threat Actor

This became evident from a Telegram Channel, announcing the Stealer support along with the said Hosting Service.

By diving deep into the identity advertised, I uncovered a domain artem[.]icu; which is owned by the same person. By doing a WHOIS check, it is found that the domain is registered back in May 2023 (same timeline match with Bulletproof Hosting Service) with privacy option of concealing the real identity.

However, I have found the real IP address behind the service running:-

94.142.141.150

This IP traces back to Russia which hosts about 400+ domains (mainly RU and UA Domains).

Another important fact to note here is: a privacy enabled Email Service: bpe.cash is also hosted with the same network.

NOTE: BPE is short for Bullet Proof Email, a privacy focused Email Service. An email address (dolores@bpe.cash) registered with this service is being used by this same threat actor for their Ransomware Operation in CASH Ransomware.

An email address of the Threat Actor got disclosed during a deep check:-

artem.icu@gmail.com

While investigating further, I came across a Dox which discloses the real identity of Telegram Account Handle Artem, that dates back to December 2020.

Dox of the Threat Actor

NOTE: Doxing of Ransomware/Malware Operators is common among Hacking forums by their competitors to make a negative impression of their services. This OPSEC failure tampers the security of the offered product, hence losing the trust.

This information cannot be taken for granted, however we can consider this as a cue for further investigation.

Another Dox appeared for the same Identity in July 2023 which further gives additional information about the threat actor as:-

Second Dox of Threat Actor appeared

Second dox of the same threat actor again makes it more vulnerable for the product sales he is running including Hosting Provider, Crypter, Ransomware, Stealer, RAT or Injector.

By diving deep, I found the following personal information about the Threat Actor:-

Name: Artem Ey
Address: Cashout O.O.O., 16, Tverskaya St, 125009 Moscow, Moscow
Country: Russian Federation
Email: anticoco@bpe.cash
Phone: +7.4212940519

OFFENSIVE SERVICES OFFERED: ARTEM

CASH HOSTING

NOTE: We are here focusing the offensive services because MINT STEALER is hosted on top of Cash Hosting.

Mint Stealer is hosted on a Bulletproof Hosting Service called Cash Hosting, which is located in Russia.

It offers various hosting services such as: VPS, RDP and Bulletproof Hosting.

Landing Page of Cash Hosting

The service is more privacy friendly such as “NO KYC” and Payment is accepted via Cryptocurrency.

The threat actor began this service in June 2023. Another service which is running parallel by same person is Cashout.

CASHOUT

Landing Page of Cashout

The domain registration indicates that Cashout is started in May 2023; which is prior to launching Cash-Hosting Service.

This service includes offering offensive programs such as:- RATs, Ransomware, Crypter, Mint Stealer, and Injector.

CASH RANSOMWARE

On May 7th, 2024; the initial sample of Cash Ransomware spotted in the wild. Threat Actors had advertised this Ransomware on the same day in Mint Stealer Channel.

Cash Ransomware from Same Group

This can be further confirmed as the Cashout Service which already hosts Bulletproof services also seen “Ransomware” on their list.

Hence, Cash Ransomware would be the same product the group have hinted in their website.

Cash Ransomware IOC
=================== 
33559005506dae5967c8ddeaa8a65f5b
69cc2e20ea7a51666b8c14be90441073

CASH RAT

Cash RAT is coded in .NET targeting Windows Platform. The initial sample spotted on 3rd June, 2023.

MD5: a3d27166eb3a33cc84294c54ade0490d : CashRAT_Build.exe

By checking the Code-base, it is found that 83% of the code is having an exact match with XWORM; which initially appeared in July 2022.

Another sample of Cash RAT obtained is a recent one, spotted on 6th May, 2024 (about 2 months back) for the first time.

This signifies the fact that the RAT is still relevant and are undergoing changes.

CASH RAT IOC
============
a3d27166eb3a33cc84294c54ade0490d
7dda8c4e9ac5fe4603e4674c31f9c8bb

AMAIL HOSTING

Upon checking the socials of the threat actor, the actor claims to be in Monaco and another domain is featured on his post about a hosting service called Amail which can be reached at amail[.]wtf.

Amail Privacy Email Service

From the above pointers, it is evident that the threat actor owns few servers and runs Bulletproof hosting or VPS services at different timelines with different names.

NOTE: We are not digging deep further to reveal the real identity of the Threat Actor as it is Out of Scope of this article and our main focus is on Mint Stealer.

INFRASTRUCTURE HUNT

Mint Stealer does not allow to self-host a C2 (Command & Control) Server as the support for C2 communication is also embedded with the stealer. This is because all the server communications (VPS, VDS, Bulletproof) are hosted within the same hosting network, hence a user does not need to migrate to another server for its C2 exchange.

It maintains 2 domains namely:-

mint-stealer.top
mint-c2.top

Mint Stealer with Login Panel

Both Domains registered on 7th June, 2024 with Cash Hosting located in Russia.

On digging deep, I found the real infrastructure behind this service Infra: 94.156.79.162 running on a Windows Server 2022.

Exposed Mint Stealer IP

Following are the key-findings:-

IP: 94.156.79.162
ASN: AS215240
Name: Silent Communication
Location: Bulgaria
OS: Windows Server 2022
Dev Services: Bootstrap, Frappe
Using: NodeJS, ExpressJS

By inspecting the ASN, it is found that This ASN is blacklisted and also came under DROP which is short for Don’t Route or Peer List.

ASN Report

This itself is a red flag to exclude those IOCs on your personal/corporate network.

MINT STEALER: SHALLOW CODE ANALYSIS

Just to get an overview, I have performed a Shallow Code Analysis for this piece:-

MD5: e6e620e5cac01f73d0243dc9cf684193

This is a Windows Executable Malware sized at 9MB that initially appeared on 23rd June, 2024. This malware is coded in Visual C++.

This file is being spread with various filenames such as:-

vadimloader
vadimloader.exe
2024–06–24_e6e620e5cac01f73d0243dc9cf684193_ryuk
Update.exe

NOTE: As the filename “VADIM” is a Russian word for “Powerful Ruler” or indicates a strong masculine figure.

Once dropped, it initially searches for Language Support in the registry (to exclude CIS Countries).

Mint Stealer (this piece) is tasked to steal sensitive information from the victim’s computer, once it gets infected.

Following are the list of Cryptocurrency Wallets which Mint Stealer targets:-

Electrum-LTC
Electrum
ElectronCash
Exodus
Coinom
Ethereum
MultiDoge

Apart from this, Mint Stealer is also equipped to steal browser credentials from the victims’ machine.

Upon execution, it attempts to steal PuTTY and WinSCP information including sessions, passwords etc.

While checking the contacted domains, it is found that the stealer is making a connection request with following:-

anonfiles.com
fileditch.com

Both domains offers Files Hosting Service and it can be assumed that the stealer or Threat Actor might have used these platforms to store/host any payloads or C2 channels.

It is also notable that the Threat Actor had previously used FileDitch Service to put the Mint Stealer logs out.

Malicious scripts are pulled from:-

http://mint-c2.top/api/won
http://mint-c2.top/api/injection

Malware in contact with Mint Domains

Threat actor uses Powershell command to get the current clipboard to copy the victim data, and transported back to threat actor using C2 Communication channel.

Following cryptographic hash algorithms are found in this sample:-

SALSA20
KECCCAK
AES
CBC
AES-NI
BLOWFISH
BLAKE2
SCRYPT

Along with the dropped malwares, presence of Growtopia (since 2021) and DiscordStealer is also found.

STEALER LOG ANALYSIS

I have managed to obtain stealer logs from Mint Stealer and here are some of the list of the targets used by the stealer:-

Autofills
Bookmarks
Downloads
History
Passwords
Quick Cookie

Passwords obtained by Mint Stealer

ATTACK MATRIX

Following are the Attack Matrix found for the Mint Stealer:-

Attack Vectors of Mint Stealer

CONCLUSION

On July 14, 2024; there is an official announcement in the Telegram Channel about the discontinuation of the Project titled CashOut which also includes the support of Mint Stealer.

Mint Stealer Discontinuation Announcement

This could be a resultant of my tweet where I had exposed the infrastructure of Mint Stealer on July 13, 2024 via Tweet, a day before:-

As the samples are out, there is a chance of the same stealer program would be revamped in near future with new name.

IOCs (Mint Stealer)

Hashes
======
e6e620e5cac01f73d0243dc9cf684193
afefdbd2bf7a6a622eaf09ab4a1adb3b 
4629bd8e5e8cfe7256d1505e444c7db8 
c66ee818a2295aac69baa17df301de34 
ac449f08bd7edcecabfbf7c1231c02e8 
a1671d1d339b188fa3f437e79ccf21d1
3832f42b8a1655a1ff2cce00aec7435b
9f037593071344bc1354e5a619f914f4 

High Confidence IP List
=======================
109.236.93.59 🇳🇱
2.58.57.168 🇳🇱
94.156.79.162 🇧🇬
77.91.77.81 🇬🇪
104.21.94.45 🇺🇸
172.67.219.160 🇺🇸
172.67.211.144 🇺🇸
85.114.96.2 🇵🇸
104.21.96.39 🇺🇸
104.21.67.23 🇺🇸

IP-Domain Resolution of MINT STEALER
====================================

mint-stealer.top
172.67.205.20 🇺🇸
104.21.22.131 🇺🇸

mint-c2.top
94.156.79.162 🇧🇬

mint-stl.ru
185.216.70.231 🇸🇨
95.214.25.207 🇸🇨
94.156.79.162 🇧🇬

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.