August 21, 2024Ravie LakshmananCyber ​​Espionage / Threat Intelligence

In what is a case of operational security flaw (OPSEC), the operator behind a new information thief dubbed Styx Stealer has leaked data from his own computer, including customer details, earnings information, nicknames, phone numbers and email addresses.

Styx Stealer, a derivative of the Phemedrone Stealer, is capable of stealing browser data, Telegram and Discord instant messenger sessions, and cryptocurrency wallet information, cybersecurity firm Check Point said in an analysis. It first appeared in April 2024.

“Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features that are available in newer versions, such as sending reports to Telegram, encrypting reports, and more,” the company said.

“However, the creator of Styx Stealer has added a number of new features: auto-launch, clipboard monitor and crypto clipper, additional sandbox evasion and anti-analysis techniques, and reimplemented sending data to Telegram.”

Advertised for $75 per month (or $230 for three months or $350 for a lifetime subscription) on a special website (“styxcrypter(.)com”), licenses for the malware require potential buyers to contact a Telegram account (@styxencode). It is linked to a Turkey-based threat actor who operates on cybercrime forums under the alias STY1X.

Check Point reported that it was able to discover links between STY1X and a March 2024 spam campaign that distributed Agent Tesla malware and targeted multiple industries in China, India, the Philippines, and the UAE. Agent Tesla’s activity has been attributed to a malicious actor called Fucosreal, who is believed to be based in Nigeria.

This was made possible when STY1X debugged the stealer on their own machine using a Telegram bot token from Fucosreal. This fatal flaw allowed the cybersecurity firm to identify as many as 54 customers and 8 cryptocurrency wallets, likely belonging to STY1X, that were allegedly used to receive the payments.

“This campaign was notable for its use of the Telegram Bot API for data exfiltration, leveraging Telegram’s infrastructure instead of traditional command-and-control (C&C) servers, which are easier to detect and block,” Check Point said.

“However, this method has a key flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token provides access to all data sent through the bot, exposing the recipient’s account.”

The revelation comes as new stealer malware such as Ailurophile, Banshee Stealer and QWERTY are emerging. At the same time, well-known stealers such as RedLine are being used in phishing attacks targeting Vietnamese manufacturers of oil and gas, industrial, electrical and HVAC equipment, paint, chemicals and hotels.

“RedLine is a known stealer that targets login credentials, credit card information, browser history, and even cryptocurrency wallets,” said Symantec, owned by Broadcom. “It is actively used by multiple groups and individuals around the world.”

“Once installed, it collects data from the victim’s computer and sends it to a remote server or Telegram channel controlled by the attackers.”