Styx Stealer Architect’s Operational Security Blunder Reveals Client Roster and Revenue Particulars
An operational security oversight resulted in the perpetrator behind a novel data thief named Styx Stealer publicly revealing data from their own computer, exposing information concerning the clientele, revenue details, pseudonyms, contact numbers, and email addresses.
Styx Stealer, an offshoot of the Phemedrone Stealer, possesses the ability to purloin web browser data, chat records from Telegram and Discord, and digital wallet particulars, as per an evaluation by cybersecurity firm Check Point. Its emergence dates back to April 2024.
“Likely based on an outdated version of Phemedrone Stealer, Styx Stealer misses out on certain functionalities found in later versions like transmitting reports to Telegram, securing reports, and more,” pointed out the organization in its analysis.
“However, the Styx Stealer creator introduced new functionalities such as automatic startup, clipboard monitoring and cryptocurrency clipper, enhanced sandbox evasion, anti-analysis strategies, and reinstated data transmission to Telegram.”
Market for $75 per month (or $230 for a three-month subscription or $350 for a lifetime membership) on a specialized portal (“styxcrypter[.]com”), permits for utilizing the malware necessitate interested parties to contact a Telegram account (@styxencode). The account is associated with a threat actor based in Turkey using the alias STY1X on online criminal discussion boards.
Check Point managed to establish connections between STY1X and a spam operation in March 2024 that disseminated Agent Tesla malware, targeting various sectors within China, India, the Philippines, and the U.A.E. The Agent Tesla operation has been linked to an actor named Fucosreal, whose proximate location is presumed to be in Nigeria.
This identification was made possible as STY1X debugged the data thief on their own device using a Telegram bot token provided by Fucosreal. This significant error allowed the cybersecurity firm to identify up to 54 patrons and 8 virtual currency wallets, likely attributed to STY1X, which were employed to accept the payments.
“The use of the Telegram Bot API for data exfiltration in this campaign was noteworthy, leveraging Telegram’s framework instead of conventional command-and-control (C&C) servers, which are easier to detect and block,” highlighted Check Point.
“Nonetheless, this approach has a notable drawback: each malware sample should feature a bot token for authentication. Deciphering the malware to isolate this token grants access to all data transmitted via the bot, disclosing the recipient account.”
This revelation comes amidst the appearance of novel data stealing malware variants like Ailurophile, Banshee Stealer, and QWERTY, while popular thieves such as RedLine are being exploited in phishing endeavors directed at Vietnamese oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel sectors.
“RedLine is a renowned data thief that focuses on obtaining login credentials, credit card specifics, web browsing records, and virtual currency wallets,” affirmed Symantec, a subsidiary of Broadcom. “Various groups and individuals across the globe actively utilize it.”
“Upon installation, it acquires data from the infected computer and transmits it to a remote server or Telegram channel controlled by the adversaries.”
About Author
