Security researchers were able to gather valuable information about the creator of a sophisticated new malware tool called Styx Stealer thanks to a fundamental operational security flaw on the part of the attacker.

The misstep allowed researchers — from Check Point Research (CPR) — to identify the malware’s author as an individual operating out of Turkey with connections to the operator of an Agent Tesla campaign, one of the oldest and most prolific information stealers still in operation. The misstep also allowed researchers to collect other personal data, including the malware author’s Telegram accounts, contacts, emails, and cryptocurrency transfers over a two-month period, totaling approximately $9,500 from buyers of Styx Stealer and a separate encryption tool.

A fortunate OpSec failure

“While debugging Styx Stealer, the developer made a fatal mistake and leaked data from his computer,” wrote CPR researcher Alexey Bukhteyev in a recent blog post“(This) allowed CPR to obtain a large amount of information, including customer numbers, earnings information, nicknames, phone numbers and email addresses, as well as similar data about the actor behind the Agent Tesla campaign.”

Instances where threat actors inadvertently dox themselves via operational vulnerabilities, while somewhat rare, continue to occur. And when they do, security researchers are quick to capitalize on those flaws and gather as much detail as possible about the threat actor’s tactics, techniques, and procedures.

Threat actors regularly back up their own discovery. Last year, Mandiant was able to attribute an attack on enterprise directory-as-a-service provider JumpCloud to the North Korean Lazarus Group after a security audit revealed the threat actor’s real IP address in North Korea. Similar mistakes — in this case, a failure to properly clean up after a ransomware attack — allowed Secureworks to expose the personas and companies behind the Iranian threat group Cobalt Mirage. In 2021, researchers from IBM’s X-Force threat intelligence group valuable information collected over the Iranian cyber-espionage group “Charming Kitten” due to multiple operational security flaws by the attacker.

Putting the pieces together

CPR researchers got their first clues about the author of Styx Stealer when they analyzed a malicious file containing Agent Tesla that they had extracted from a spam campaign last March. They found the malware using Telegram’s Bot API for data exfiltration and were able to extract the Telegram bot token. This allowed CPR researchers to keep tabs on the threat actor’s Telegram bot.

That in turn led to the discovery of a malicious archive file containing a document named “Styx Stealer” and a screenshot showing someone working in Visual Studio on a project named “PhemedroneStealer” and debugging a process named “Styx-Stealer.exe.” The program file in the project contained a hardcoded Telegram bot token and chat ID identical to what CPR researchers had extracted from the Agent Tesla sample.

Working from there, the researchers were able to gather information that ultimately led to their identification of the author of Styx Stealer as an individual living in Turkey with the handle Sty1x and a number of different email addresses and phone numbers. Their analysis revealed that Sty1x was working with an individual with the handle @Mack_Sant, based in Lagos, Nigeria. Exchanges between the two showed that Sty1x was using @Mack_Sant to test Styx Stealer’s ability to exfiltrate data, first using a Styx Stealer-specific Telegram bot and then the Agent Tesla bot.

Data researchers were able to recover from both individuals’ computers — and visible in photos @Mack_Sant sent to Sty1x of a phone and laptop — showed the former was the operator of the Agent Tesla campaign that CPR investigated in March. “We also see a screenshot of Agent Tesla reports, which fully confirms our suspicion that @Mack_Sant (aka @Fucosreal) is the owner of this bot and the creator of the Agent Tesla campaign,” Bukhteyev wrote.

A slick info stealer

Styx Stealer itself is an information stealer based on an early version of the code associated with “Phemedrone Stealer”, a malware tool that researchers have observed being used in attacks targeting CVE-2023-36025a vulnerability in Windows Defender SmartScreen from earlier this year.

The malware steals data from browser extensions in Chromium-based browsers, from cryptocurrency wallets, and from files in the My Documents and Desktop folders. It can also obtain location and system data, and steal Discord, Telegram and Steam sessions, CPR reported. Like many malware tools, Styx Stealer includes multiple obfuscation and detection evasion features, including functions that monitor and kill certain processes and determine if they are potentially running in a virtual machine. The malware is designed not to run in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus and Azerbaijan.

“The Styx Stealer case is a compelling example of how even sophisticated cybercriminal operations can fail due to basic security flaws,” Bukhteyev said.