In a case of operational security breach (OPSEC), the operator behind a new info-stealer called Styx Stealer disclosed data from his computer, including customer details, profit informationnicknames, phone numbers and email addresses.
Styx Stealer and Why It Was a Failure for the Operator Behind It
Styx Stealer, a derivative of the Phemedrone Stealeris capable of stealing data from your browser, instant messaging sessions from Telegram and Discord, and information about cryptocurrency wallets, according to an analysis by cybersecurity firm Check Point; first emerged in April 2024.
“Styx Stealer is most likely based on the source code of an older version of Phemedrone Stealer, which lacks some features present in newer versions, like sending reports to Telegram, encrypting reports and more“, has observed the company, which later added: “However, the creator of Styx Stealer has added some new features: auto-launch, clipboard monitoring and crypto-clipper, additional sandbox evasion and anti-analysis techniques, and re-implemented sending data to Telegram.”
Advertised at $75 per month (or $230 for three months or $350 for a lifetime subscription) on a dedicated website (“styxcrypter[.]com”), the malware licenses require potential buyers to contact a Telegram account (@styxencode); It is linked to a cybercriminal (or group of cybercriminals) based in Turkey who goes by the name STY1X on cybercrime forums.
How the Styx Stealer Campaign Began and Cybercriminals’ Mistake
Check Point said it was able to discover links between STY1X and a March 2024 spam campaign that distributed the Agent Tesla malware and which has targeted various sectors in China, India, the Philippines and the United Arab Emirates; Agent Tesla’s activity has been attributed to a cybercriminal called Fucosreal, whose approximate location is in Nigeria.
This was made possible by STY1X debugging the stealer on his own machine using a Telegram token bot provided by Fucosreal; This fatal error allowed cybersecurity firm Chuck Point to identify as many as 54 customers and 8 cryptocurrency walletslikely belonging to STY1X, which are believed to have been used to receive payments.
“This campaign was notable for its use of Telegram’s Bot API for data exfiltration, leveraging Telegram’s infrastructure instead of traditional command and control (C&C) servers, which are more easily detectable and blocked.,” noted Check Point, which then said: “However, this method has a significant flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token provides access to all data sent via the bot, exposing the recipient account..”
Not just Styx Stealer: other cyber threats are lurking
The disclosure comes in the context of an emergence of new stealer malware variants such as Ailurophile, Banshee Stealer and QWERTYwhile well-known stealers like RedLine are used in phishing attacks targeting Vietnam’s oil and gas, industrial, electrical, and HVAC industries, as well as paint, chemical, and hotel manufacturers.
“RedLine is a well-known info-stealer that targets login credentials, credit card details, browser history and even cryptocurrency wallets.“, has said Symantec, owned by Broadcom. “It is actively used by multiple groups and individuals around the world.”
Symantec concluded by arguing that: “Once installed, it collects data from the victim’s computer and sends it to a remote server or Telegram channel controlled by the attackers.“
Curiosity: Origin of the stealer’s name
The name “Styx Stealer” refers to the River Styx, which in Greek mythology separates the world of the living from the world of the dead; The River Styx was considered a symbol of inviolability and sacredness, and those who crossed it could never turn back.
This name was probably chosen to suggest the idea that the data stolen by the Styx Stealer is “lost” forever.once in the hands of attackers, as well as evoking a sense of danger and irreversibility associated with the malware itself.
#Styx #Stealer #Stealer #Failed
