In what’s a case of an operational safety (OPSEC) lapse, the operator behind a brand new data stealer known as Styx Stealer leaked knowledge from their very own laptop, together with particulars associated to the purchasers, revenue data, nicknames, telephone numbers, and e-mail addresses.
Styx Stealer, a by-product of the Phemedrone Stealer, is able to stealing browser knowledge, prompt messenger classes from Telegram and Discord, and cryptocurrency pockets data, cybersecurity firm Examine Level stated in an evaluation. It first emerged in April 2024.
“Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features found in newer versions such as sending reports to Telegram, report encryption, and more,” the corporate famous.
“However, the creator of Styx Stealer added some new features: auto-start, clipboard monitor and crypto-clipper, additional sandbox evasion, and anti-analysis techniques, and re-implemented sending data to Telegram.”
Marketed for $75 a month (or $230 for 3 months or $350 for a lifetime subscription) on a devoted web site (“styxcrypter[.]com”), licenses for the malware requires potential consumers to succeed in out to a Telegram account (@styxencode). It is linked to a Turkey-based menace actor who goes by the alias STY1X on cybercrime boards.
Examine Level stated it was capable of unearth connections between STY1X and a March 2024 spam marketing campaign distributing Agent Tesla malware that focused numerous sectors throughout China, India, the Philippines, and the U.A.E. The Agent Tesla exercise has been attired to a menace actor named Fucosreal, whose approximate location is in Nigeria.
This was made potential owing to the truth that STY1X debugged the stealer on their very own machine utilizing a Telegram bot token offered by Fucosreal. This deadly error allowed the cybersecurity firm to determine as many as 54 prospects and eight cryptocurrency wallets, probably belonging to STY1X, which are stated to have been used to obtain the funds.
“This campaign was notable for its use of the Telegram Bot API for data exfiltration, leveraging Telegram’s infrastructure instead of traditional command-and-control (C&C) servers, which are more easily detectable and blockable,” Examine Level famous.
“However, this method has a significant flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token provides access to all data sent via the bot, exposing the recipient account.”
The disclosure comes amid the emergence of latest stealer malware strains resembling Ailurophile, Banshee Stealer, and QWERTY, at the same time as well-known stealers like RedLine are being utilized in phishing assaults concentrating on Vietnamese oil and fuel, industrial, electrical and HVAC producers, paint, chemical, and resort industries.
“RedLine is a well-known stealer that targets login credentials, credit card details, browser history, and even cryptocurrency wallets,” Broadcom-owned Symantec stated. “It is actively used by multiple groups and individuals around the world.”
“Once installed, it collects data from the victim’s computer and sends it to a remote server or Telegram channel controlled by the attackers.”