Styx Stealer Blows Its Own Cover With Sloppy OpSec Mistake

  /     /     /  
Publicated : 23/11/2024   Category : security


Styx Stealer Blows Its Own Cover With Sloppy OpSec Mistake


An individual in Turkey is behind a new information stealer that researchers have recently observed in multiple attacks.



Security researchers were able to gather valuable information on the creator of a sophisticated new malware tool called Styx Stealer because of a basic operational security lapse on the part of the threat actor.
The slipup allowed the researchers — from Check Point Research (CPR) — to identify the malware author as an individual operating out of Turkey and having connections with the operator of an Agent Tesla campaign, one of the oldest and most prolific information stealers still in use. The lapse also allowed researchers to gather other personal details, including the malware developers Telegram accounts, contacts, emails, and cryptocurrency transfers over a two-month period, totaling some $9,500 from purchasers of Styx Stealer and a separate encryption tool.
During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer, CPR researcher Alexey Bukhteyev wrote
in a recent blog post
. [This] allowed CPR to obtain a large amount of intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses, as well as similar data about the actor behind the Agent Tesla campaign.
Instances of threat actors inadvertently doxing themselves via operational security lapses, while somewhat rare, still keep happening. And when they do, security researchers have been quick to capitalize on those errors and harvest as much detail as they are able to on the threat actors tactics, techniques, and procedures.
Threat actors regularly abet their own discovery. Last year, Mandiant was able to attribute an attack on enterprise directory-as-a-service provider JumpCloud to North Koreas Lazarus Group after a security oversight exposed the threats actual IP address in North Korea. Similar errors — in this case, not cleaning up properly after a ransomware attack —
allowed Secureworks
to expose the personas and companies behind Iranian threat group Cobalt Mirage. In 2021, researchers at IBMs X-Force threat intelligence group
scooped up valuable information
on Irans Charming Kitten cyber-espionage group because of multiple operational security failures on the threat actors part.
CPR researchers got their first clues about Styx Stealers author when analyzing a malicious file containing Agent Tesla that they recovered from a spam campaign this past March. They found the malware using Telegrams Bot API for data exfiltration and managed to extract the Telegram bot token from it. This allowed CPR researchers to monitor the threat actors Telegram bot.
That in turn led to the discovery of a malicious archive file with a document titled Styx Stealer and a screenshot showing someone working in Visual Studio on a project named PhemedroneStealer, debugging a process titled Styx-Stealer.exe. The program file in the project contained a hard-coded Telegram bot token and chat ID that were identical to what CPR researchers had extracted from the Agent Tesla sample.
Working from there, the researchers were able to piece together information that eventually led to their identifying Styx Stealers author as a Turkey-based individual using the handle Sty1x and a couple of different email addresses and phone numbers. Their analysis showed Sty1x worked with an individual using the handle @Mack_Sant based in Lagos, Nigeria. Exchanges between the two showed Sty1x using @Mack_Sant to test Styx Stealers ability to exfiltrate data initially using a Styx Stealer-specific Telegram bot and then the Agent Tesla bot.
Data that the researchers were able to recover from the computers of both individuals — and visible in photos that @Mack_Sant sent to Sty1x of a phone and laptop — showed the former to be the operator of the Agent Tesla campaign that CPR investigated in March. We also see a screenshot of Agent Tesla reports, which fully confirms our suspicion that @Mack_Sant (also known as @Fucosreal) is the owner of this bot and the originator of the Agent Tesla campaign, Bukhteyev wrote.
Styx Stealer itself is an information stealer that is based on an early version code associated with Phemedrone Stealer, a malware tool that researchers observed being used in attacks that targeted
CVE-2023-36025
, a Windows Defender SmartScreen vulnerability from earlier this year.
The malware steals data from browser extensions in Chromium-based browsers, from cryptocurrency wallets, and from files within My Documents and Desktop folders. It can also obtain location and system data and steal Discord, Telegram, and Steam sessions, CPR said. Like many malware tools, Styx Stealer packs multiple obfuscation and detection evasion features, including those that check for and terminate certain processes and determine if it might be running in a virtual machine. The malware is designed so it wont execute in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan.
The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights, Bukhteyev said.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Styx Stealer Blows Its Own Cover With Sloppy OpSec Mistake