Hacker's Misstep Reveals Styx Stealer's Dark Web Connections
On August 16, 2024, Check Point Research (CPR) published a revealing report on Styx Stealer, a new malware variant capable of stealing sensitive data from browsers, instant messaging platforms, and cryptocurrency wallets.
Introduction
On August 16, 2024, Check Point Research (CPR) published a revealing report on Styx Stealer, a new malware variant capable of stealing sensitive data from browsers, instant messaging platforms, and cryptocurrency wallets. Despite its recent appearance, Styx Stealer has already been implicated in attacks targeting CPR’s customers. A critical operational security (OpSec) mistake by the malware's developer exposed a trove of intelligence, including personal data and connections to other cybercriminal activities.
Report Overview
Styx Stealer is rooted in Phemedrone Stealer, a notorious malware that gained prominence in early 2024 after exploiting a Microsoft Windows Defender SmartScreen vulnerability (CVE-2023-36025). While Phemedrone was originally available on GitHub, its removal led to various forks, one of which became Styx Stealer. CPR discovered the malware during an investigation into a spam campaign distributing Agent Tesla malware.
Styx Stealer retains core functions from Phemedrone Stealer, such as stealing saved passwords, cookies, and data from various applications, including Telegram and Discord sessions. The malware also gathers system information and screenshots the victim’s environment. While Styx Stealer shares much of its codebase with Phemedrone, its developer has added features like auto-start, clipboard monitoring, and additional sandbox evasion techniques.
A critical OpSec failure occurred when the Styx Stealer developer accidentally leaked sensitive information during the debugging process. This lapse allowed CPR to obtain detailed intelligence, including the developer’s personal data, customer information, and connections to other cybercriminals.
The exposure of this information has significant implications for the cybercriminal ecosystem. The leaked data includes the number of clients, financial details, and contact information for individuals involved in both the Styx Stealer and Agent Tesla campaigns. This breach not only compromised the anonymity of the Styx Stealer developer but also provided valuable insights into the broader network of cybercriminals.
CPR's research reveals that the developer of Styx Stealer, identified as “Sty1x,” was closely linked to a Nigerian threat actor known as “Fucosreal,” who was involved in the Agent Tesla campaign. The connection between these two actors was uncovered through Telegram communications and the shared use of a Telegram bot for data exfiltration. This link further illustrates the interconnected nature of modern cybercrime operations.
Insights and Analysis
The case of Styx Stealer highlights the importance of operational security for cybercriminals. The developer’s OpSec failure not only compromised his identity but also exposed a web of criminal activity spanning multiple countries. For cybersecurity professionals, this incident underscores the need for vigilance and comprehensive protection against emerging threats.
To protect against similar threats, CPR recommends using advanced endpoint protection solutions like Check Point Harmony Endpoint, which provides comprehensive coverage against a wide range of attack tactics. Organizations should also ensure their cybersecurity measures are up to date to defend against the evolving tactics employed by cybercriminals.
Styx Stealer serves as a reminder of the risks associated with even minor security lapses in the world of cybercrime. The intelligence gained from this incident not only disrupted an active malware campaign but also provided crucial insights into the operations of some of the latest threat actors on the dark web.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| 1PbfzBuGwkx5dYJJkCZvhU9pAh3r3TwFvJ | Bitcoin Wallet | Bitcoin wallet associated with Styx Stealer payments. |
| 3JRQtHrHATv65zAaSiz4juX741GhueiFBs | Bitcoin Wallet | Another Bitcoin wallet linked to Styx Stealer transactions. |
| LfAqkNxzhEcv43Ts9kPs4CYGa2dcMSKxnY | Litecoin Wallet | Litecoin wallet used for receiving payments by Styx Stealer seller. |
| TGqAtvMQXuGCftFDxLRcBwjs6ZGSKStYpa | TRON Wallet | TRON wallet related to Styx Stealer sales. |
| TEzvzb7HANUPY7mVhruoSfxJ8S7mHDTAPX | TRON Wallet | TRON wallet identified in Styx Stealer's transactions. |
| TGqAtvMQXuGCftFDxLRcBwjs6ZGSKStYpa | TRON Wallet | TRON wallet associated with Styx Stealer's crypto-clipping activities. |
| 46NJXqcrDYAhmSmpzRqaV9BqMKcCzuTMzH4dKqUyZSGx7w9hLULnmsTFeJo44Zgg2TUgrFoV97wJwUpvgQ6NYkNV8k7cRuW | Monero Wallet | Monero wallet linked to Styx Stealer financial operations. |
| styxcrypter[.]com | Domain | Domain used to market and distribute Styx Stealer. |
| @styxencode | Telegram Account | Telegram account used by the Styx Stealer developer for transactions. |
| POlist.exe | File | Malicious loader file used to deliver Styx Stealer. |
| http://playerenterprises[.]org/Documental/uploads/661f19607b27c.txt | URL | URL used to download Styx Stealer payload. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | Attackers used phishing emails to distribute Agent Tesla and Styx Stealer. |
| Execution | User Execution | T1204 | Styx Stealer requires the victim to execute a malicious file (e.g., POlist.exe). |
| Persistence | Boot or Logon Autostart Execution | T1547.001 | Styx Stealer sets itself to auto-start via a registry key to ensure persistence. |
| Credential Access | Credential Dumping | T1003 | Stealing credentials stored in browsers and applications like Telegram and Discord. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Styx Stealer uses obfuscation to avoid detection and analysis. |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497 | Styx Stealer checks for virtualized environments and sandboxes to avoid execution. |
| Collection | Clipboard Data | T1115 | Styx Stealer monitors the clipboard for cryptocurrency addresses to replace with attacker's. |
| Command and Control | Exfiltration Over Web Service | T1071.001 | Styx Stealer exfiltrates data via Telegram. |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | Data is exfiltrated using non-standard protocols, such as Telegram Bot API. |
References
alexeybu
Comments ()