Styx Stealer Maker’s Operational Security Failure Leaks Client Roster and Earnings Info
During an oversight in operational security (OPSEC) measures, the individual behind a novel data snatcher named Styx Stealer unintentionally divulged data from their own device, exposing particulars concerning the customers, revenue details, aliases, contact numbers, and email addresses.
Styx Stealer, an offshoot of the Phemedrone Stealer, can exfiltrate data from web browsers, chat sessions from platforms like Telegram and Discord, and details from cryptocurrency wallets, according to a study by cybersecurity firm Check Point. The malware came to light initially in April 2024.
“It’s probable that Styx Stealer is derived from an outdated version of Phemedrone Stealer’s source code, lacking certain functionalities present in later variations such as transmitting reports to Telegram, encrypting reports, etc.,” the analysis by the organization highlighted.
“Nonetheless, the individual responsible for Styx Stealer has introduced new components: auto-launch, clipboard surveillance and crypto-clipper, additional prevention techniques against sandbox environments and analysis, and has reinstated the practice of transmitting data over Telegram.”
Marketized for $75 per month (or $230 for three months or $350 for an everlasting subscription) on a specialized platform (“styxcrypter[.]com”), procuring licenses for this malicious software necessitates potential buyers to make contact through a Telegram handle (@styxencode). This activity is associated with a cyber threat actor located in Turkey who uses the aliases STY1X in underground forums.
Check Point unveiled the connections between STY1X and a spam drive in March 2024 distributing Agent Tesla malware which targeted sectors in China, India, the Philippines, and the U.A.E. The Agent Tesla campaign is attributed to a threat operator named Fucosreal, with an estimated base in Nigeria.
The security company managed to establish these correlations as STY1X evaluated the stealer on personal hardware using a Telegram bot token furnished by Fucosreal. This slip-up enabled Check Point to pinpoint approximately 54 patrons and 8 cryptocurrency wallets, likely owned by STY1X, utilized for processing payments.
“This initiative stood out for its utilization of the Telegram Bot API to transfer data, employing Telegram’s infrastructure instead of traditional command-and-control (C&C) servers, which are more prone to detection and blocking,” Check Point specified.
“However, this technique harbors a notable vulnerability: each malware instance needs to incorporate a bot token for validation. Decrypting the malware to retrieve this token grants access to all transmitted data through the bot, revealing the recipient account.”
This exposure aligns with the emergence of fresh data-stealing malware strains such as Ailurophile, Banshee Stealer, and QWERTY, while notorious stealers like RedLine are being employed in phishing offensives targeting Vietnamese entities in the oil and gas, manufacturing, electrical and HVAC sectors, as well as paint, chemicals, and lodging domains.
“RedLine is a recognized data snatcher that focuses on appropriating login credentials, credit card specifics, browsing records, and even crypto wallet data,” stated Symantec, a subsidiary of Broadcom, in their report. “It’s actively used by multiple groups and individuals worldwide.”
“Upon installation, the malware siphons data from the victim’s machine and dispatches it to a remote server or a Telegram channel managed by the adversaries.”
About Author
