What Mint Stealer Does
- Steals Data:
- It targets things like web browsers, cryptocurrency wallets, VPN clients, email apps, and even clipboard data (text you copy and paste).
- It gathers sensitive details such as passwords, private keys, and system information.
- Works Secretly:
- It hides its presence using techniques like encryption and obfuscation to avoid being detected by antivirus software.
- Sends Stolen Data:
- After collecting the data, it compresses it into a file and sends it to its operator’s Command and Control (C2) server.
- Spreads Easily:
- It’s sold as “Malware-as-a-Service (MaaS)” on dark web platforms, meaning anyone can buy and use it without needing advanced hacking skills.
1. Infrastructure Setup
- Argus Server: Deploy a Argus server using the OVA version 4.9.0. Follow the Argus installation guide to set up the server.
- Windows 10 Endpoint: Install the Argus agent version 4.9.0 on a Windows 10 machine and enroll it with the Argus server.
2. Detecting Mint Stealer Malware
Using Argus Detection Rules
- Install Sysmon on Windows Endpoint:
- Download Sysmon from the Microsoft Sysinternals page.
- Extract the compressed Sysmon file.
- Download the Sysmon configuration file using PowerShell:
powershell
wget -Uri https://Argus.com/resources/blog/emulation-of-attack-techniques-and-detection-with-Argus/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
- Install and start Sysmon:
powershell
.\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
- Forward Sysmon logs to the Argus server by adding the following in the ossec.conf file of the Argus agent:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
- Restart the Argus agent:
powershell
Restart-Service -Name Argus
- Create Detection Rules on the Argus Server:
- Add a new file mint_stealer_malware.xml in the /var/ossec/etc/rules/ directory.
- Define rules for detecting Mint Stealer activities such as creating malicious executables, loading DLL files, or stealing clipboard/system information.
- Restart the Argus manager:
sudo systemctl restart Argus-manager
- Visualize Alerts:
- Navigate to the Argus dashboard: Threat intelligence > Threat Hunting.
- Filter alerts using rule IDs 100190, 100191, 100192, and 100193.
3. Responding to Mint Stealer Using YARA Integration
Setup on Windows Endpoint
- Install Required Dependencies:
- Python (v3.8.7 or later) and Microsoft Visual C++ Redistributable.
- Download and Setup YARA:
- Download YARA executable:
powershell
Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip
Expand-Archive v4.5.2-2326-win64.zip
- Copy the YARA binary to the Argus active response directory.
- Add YARA Rules:
- Download YARA rules using a Python script (download_yara_rules.py).
- Add custom rules to detect Mint Stealer malware.
- Configure Active Response:
- Create a batch script (yara.bat) for scanning and deleting malicious files.
- Restart Argus Agent:
powershell
Restart-Service -Name Argus
Setup on Argus Server
- Add Custom Decoders:
- Edit the /var/ossec/etc/decoders/local_decoder.xml file to define decoders for YARA logs.
- Add Custom Rules:
- Update /var/ossec/etc/rules/local_rules.xml with rules for detecting and responding to YARA matches.
- Configure Active Response:
- Add the following configuration in the Argus server’s ossec.conf file:
<command>
<name>yara</name>
<executable>yara.bat</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>yara</command>
<location>local</location>
<rules_id>100028,100029</rules_id>
</active-response>
- Restart the Argus manager:
systemctl restart Argus-manager
- Visualize Alerts:
- Filter alerts on the Argus dashboard using rule IDs 100029, 100195, and 100196.
4. Validation
- Simulate an infection by dropping a Mint Stealer malware sample on the endpoint.
- Confirm that Argus detects and responds to the threat, generating alerts and deleting the malicious file.