In what’s a case of an operational safety (OPSEC) lapse, the operator behind a brand new data stealer referred to as Styx Stealer leaked knowledge from their very own laptop, together with particulars associated to the purchasers, revenue data, nicknames, cellphone numbers, and e mail addresses.
Styx Stealer, a spinoff of the Phemedrone Stealer, is able to stealing browser knowledge, instantaneous messenger periods from Telegram and Discord, and cryptocurrency pockets data, cybersecurity firm Test Level stated in an evaluation. It first emerged in April 2024.
“Styx Stealer is almost certainly based mostly on the supply code of an previous model of Phemedrone Stealer, which lacks some options present in newer variations comparable to sending experiences to Telegram, report encryption, and extra,” the corporate famous.
“Nonetheless, the creator of Styx Stealer added some new options: auto-start, clipboard monitor and crypto-clipper, extra sandbox evasion, and anti-analysis strategies, and re-implemented sending knowledge to Telegram.”
Marketed for $75 a month (or $230 for 3 months or $350 for a lifetime subscription) on a devoted web site (“styxcrypter[.]com”), licenses for the malware requires potential patrons to succeed in out to a Telegram account (@styxencode). It is linked to a Turkey-based menace actor who goes by the alias STY1X on cybercrime boards.
Test Level stated it was in a position to unearth connections between STY1X and a March 2024 spam marketing campaign distributing Agent Tesla malware that focused numerous sectors throughout China, India, the Philippines, and the U.A.E. The Agent Tesla exercise has been attired to a menace actor named Fucosreal, whose approximate location is in Nigeria.
This was made attainable owing to the truth that STY1X debugged the stealer on their very own machine utilizing a Telegram bot token supplied by Fucosreal. This deadly error allowed the cybersecurity firm to establish as many as 54 prospects and eight cryptocurrency wallets, probably belonging to STY1X, which can be stated to have been used to obtain the funds.
“This marketing campaign was notable for its use of the Telegram Bot API for knowledge exfiltration, leveraging Telegram’s infrastructure as an alternative of conventional command-and-control (C&C) servers, that are extra simply detectable and blockable,” Test Level famous.
“Nonetheless, this technique has a big flaw: every malware pattern should comprise a bot token for authentication. Decrypting the malware to extract this token gives entry to all knowledge despatched by way of the bot, exposing the recipient account.”
The disclosure comes amid the emergence of latest stealer malware strains comparable to Ailurophile, Banshee Stealer, and QWERTY, at the same time as well-known stealers like RedLine are being utilized in phishing assaults focusing on Vietnamese oil and fuel, industrial, electrical and HVAC producers, paint, chemical, and lodge industries.
“RedLine is a widely known stealer that targets login credentials, bank card particulars, browser historical past, and even cryptocurrency wallets,” Broadcom-owned Symantec stated. “It’s actively utilized by a number of teams and people all over the world.”
“As soon as put in, it collects knowledge from the sufferer’s laptop and sends it to a distant server or Telegram channel managed by the attackers.”