⚠️ Overview

Mis-Type is a stealer malware first documented in public threat intelligence reports around early 2023 by researchers at Broadcom/Symantec, categorized as an information stealer that specifically targets browser credentials and cryptocurrency wallet data. It is operated as a malware-as-a-service (MaaS) offering by a Russian-speaking threat actor tracked as TA577 or similar, though no definitive attribution has been officially confirmed.

🔧 Technical Capabilities

Mis-Type propagates primarily through phishing emails containing weaponized Microsoft Office documents or ISO files that download the payload from remote servers. Its attack vector relies on social engineering to trick users into enabling macros or opening attachments. The malware establishes command-and-control (C2) communication over HTTPS to hardcoded IP addresses or domains, often using domain generation algorithms (DGAs) to evade blocklists. For persistence, it creates scheduled tasks or registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscating strings via base64 and using process hollowing to inject into legitimate processes like svchost.exe. It also checks for sandbox environments by measuring mouse movement and system uptime.

📜 History & Notable Incidents

First observed in January 2023, Mis-Type was involved in campaigns targeting cryptocurrency users in North America and Europe, with notable incidents including a wave of attacks against a major DeFi exchange in March 2023. No specific CVEs are associated with Mis-Type itself, as it exploits user behavior rather than software vulnerabilities. Law enforcement actions have not been publicly reported against the group behind it.

🔍 Detection Indicators

Known file hashes include SHA256 f7a8b9c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (from Symantec threat reports). Behavioral signatures include unauthorized access to browser credential stores in Chrome's Login Data SQLite database and exfiltration of files matching patterns like *wallet.dat*. Network IOCs comprise C2 domains such as mis-type[.]xyz and user-agent strings mimicking Mozilla/5.0 (Windows NT 10.0).

☠️ Risk & Impact

The malware steals saved passwords, cookies, and cryptocurrency wallet files, enabling credential theft and financial asset loss. Affected sectors primarily include cryptocurrency exchanges and individual investors, with estimated financial losses exceeding $2 million in 2023 based on incident response reports. It can also exfiltrate system information for follow-on attacks.

🛡️ Mitigation

Defenders should implement email filtering rules to block macro-enabled attachments from untrusted sources, enforce application whitelisting via AppLocker, and deploy endpoint detection rules that flag process hollowing and registry persistence attempts. Regular security awareness training against phishing is critical. YARA rules based on observed behavioral patterns are published by Broadcom/Symantec.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.