close
close

Styx stealer creator’s OPSEC flaw reveals customer list and profit details


Styx stealer creator’s OPSEC flaw reveals customer list and profit details

21 August 2024Ravie LakshmananCyber ​​espionage / threat intelligence

Styx stealer creator’s OPSEC flaw reveals customer list and profit details

In an operational security breach (OPSEC) case, the operator of a new information stealer called Styx Stealer leaked data from his own computer, including customer details, winning information, nicknames, phone numbers and email addresses.

Styx Stealer, a derivative of the Phemedrone Stealer, can steal browser data, Telegram and Discord instant messaging sessions, and cryptocurrency wallet information, cybersecurity firm Check Point said in an analysis. The malware first appeared in April 2024.

“Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features of newer versions, such as sending reports to Telegram, report encryption, and more,” the company noted.

Cybersecurity

“However, the developer of Styx Stealer has added some new features: autostart, clipboard monitor and crypto clipper, additional sandbox bypass and anti-analysis techniques, and has reimplemented sending data to Telegram.”

The malware is offered on a dedicated website (“styxcrypter(.)com”) for $75 per month (or $230 for three months or $350 for a lifetime subscription). Licenses for the malware require potential buyers to set up a Telegram account (@styxencode). It is linked to a Turkey-based threat actor who goes by the pseudonym STY1X on cybercrime forums.

Check Point stated that it was able to uncover links between STY1X and a March 2024 spam campaign that distributed the “Agent Tesla” malware targeting various sectors in China, India, the Philippines, and the United Arab Emirates. The activity of “Agent Tesla” was attributed to a threat actor called Fucosreal, whose approximate location is in Nigeria.

This was possible because STY1X debugged the stealer on his own machine using a Telegram bot token provided by Fucosreal. This serious bug allowed the cybersecurity firm to identify up to 54 customers and 8 cryptocurrency wallets that likely belonged to STY1X and were allegedly used to receive the payments.

“What was notable about this campaign was the use of the Telegram Bot API for data exfiltration, leveraging Telegram’s infrastructure instead of traditional command-and-control (C&C) servers, which are easier to detect and block,” Check Point noted.

“However, this method has a significant flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token gives access to all data sent via the bot and can thus reveal the recipient account.”

Cybersecurity

The disclosure comes against the backdrop of the emergence of new types of stealer malware such as Ailurophile, Banshee Stealer and QWERTY, while well-known stealers such as RedLine are used in phishing attacks targeting Vietnamese oil and gas companies, industrial, electrical and heating equipment manufacturers, as well as the paint, chemical and hotel industries.

“RedLine is a known thief that targets login credentials, credit card data, browsing history and even cryptocurrency wallets,” said Symantec, which is owned by Broadcom. “It is actively used by numerous groups and individuals around the world.”

“Once installed, it collects data from the victim’s computer and sends it to a remote server or Telegram channel controlled by the attackers.”

Did you find this article interesting? Follow us on Þjórsárden and LinkedIn to read more exclusive content we publish.

Leave a Reply

Your email address will not be published. Required fields are marked *