Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Check Point researchers traced the path from Agent Tesla to the Sty1x hacker.
Check Point has discovered a serious operational security flaw in a new Styx Stealer malware that has allowed researchers to track down and expose its author. The company claims that the developer infected their own computer. It was thanks to this that the stealer was able to be linked to a Turkish hacker known under the pseudonym Sty1x.
The Styx Stealer is a modified version of the Phemedrone Stealer malware, which became widely known in early 2024 after exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The new malware inherited Phemedrone's core features, including stealing passwords, cookies, and autofill data from browsers, as well as information from cryptocurrency wallets.
Check Point discovered that the Styx Stealer is being sold on the styxcrypter website[.] com subscription: $75 for a monthly license, $230 for three months, and $350 for a lifetime subscription. Buyers are invited to contact the seller through the @styxencode Telegram account.
While debugging the malware, Sty1x accidentally uploaded an archive with data from his computer to a Telegram bot that was used in a campaign to distribute another malware, Agent Tesla. This archive contained a screenshot of the developer's desktop with an open Visual Studio project called "PhemedroneStealer" and the Styx-Stealer.exe debugging process. The screenshot also showed a Program.cs file with a hard-coded Telegram bot token and chat ID, which matched the data extracted from the Agent Tesla sample.
By analyzing the data, Check Point researchers were able to establish that the creator of the Styx Stealer uses two Telegram accounts: @styxencode and @cobrasupports. They also determined that the developer was located in Turkey by tracking his movements around the country based on account login data.
Further investigation revealed a connection between the creator of the Styx Stealer and a Nigerian cybercriminal with the nickname Fucosreal (also using the pseudonym @Mack_Sant). It was Fucosreal that provided the token of the Telegram bot that used Sty1x to debug its software.
Check Point managed to restore the chain of events: Sty1x added a feature to send data via Telegram and tested it on its own bot. He then convinced @Mack_Sant to run the same stealer build on his computer. After that, Sty1x inserted the token from the @joemmBot bot sent by @Mack_Sant into the program.
Sty1x is likely involved in other cybercriminal activities as well. Analysts found evidence that he used the Umbral open stealer and may have been associated with the group of the same name.
In the two months from April 18, 2024, the creator of the Styx Stealer received about $9,500 from the sale of his product. Check Point has identified 54 customers and 8 cryptocurrency wallets allegedly owned by Sty1x. As technical analysis has shown, the Styx Stealer is based on an earlier version of the Phemedrone Stealer that was released before September 2023. However, new features have been added to it, such as clipboard monitoring, cryptojacking, and autoplay. It includes additional detection evasion techniques, including checking for processes related to debuggers and analytics software, as well as detecting virtual machines and sandboxes.
Source
Check Point has discovered a serious operational security flaw in a new Styx Stealer malware that has allowed researchers to track down and expose its author. The company claims that the developer infected their own computer. It was thanks to this that the stealer was able to be linked to a Turkish hacker known under the pseudonym Sty1x.
The Styx Stealer is a modified version of the Phemedrone Stealer malware, which became widely known in early 2024 after exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The new malware inherited Phemedrone's core features, including stealing passwords, cookies, and autofill data from browsers, as well as information from cryptocurrency wallets.
Check Point discovered that the Styx Stealer is being sold on the styxcrypter website[.] com subscription: $75 for a monthly license, $230 for three months, and $350 for a lifetime subscription. Buyers are invited to contact the seller through the @styxencode Telegram account.
While debugging the malware, Sty1x accidentally uploaded an archive with data from his computer to a Telegram bot that was used in a campaign to distribute another malware, Agent Tesla. This archive contained a screenshot of the developer's desktop with an open Visual Studio project called "PhemedroneStealer" and the Styx-Stealer.exe debugging process. The screenshot also showed a Program.cs file with a hard-coded Telegram bot token and chat ID, which matched the data extracted from the Agent Tesla sample.
By analyzing the data, Check Point researchers were able to establish that the creator of the Styx Stealer uses two Telegram accounts: @styxencode and @cobrasupports. They also determined that the developer was located in Turkey by tracking his movements around the country based on account login data.
Further investigation revealed a connection between the creator of the Styx Stealer and a Nigerian cybercriminal with the nickname Fucosreal (also using the pseudonym @Mack_Sant). It was Fucosreal that provided the token of the Telegram bot that used Sty1x to debug its software.
Check Point managed to restore the chain of events: Sty1x added a feature to send data via Telegram and tested it on its own bot. He then convinced @Mack_Sant to run the same stealer build on his computer. After that, Sty1x inserted the token from the @joemmBot bot sent by @Mack_Sant into the program.
Sty1x is likely involved in other cybercriminal activities as well. Analysts found evidence that he used the Umbral open stealer and may have been associated with the group of the same name.
In the two months from April 18, 2024, the creator of the Styx Stealer received about $9,500 from the sale of his product. Check Point has identified 54 customers and 8 cryptocurrency wallets allegedly owned by Sty1x. As technical analysis has shown, the Styx Stealer is based on an earlier version of the Phemedrone Stealer that was released before September 2023. However, new features have been added to it, such as clipboard monitoring, cryptojacking, and autoplay. It includes additional detection evasion techniques, including checking for processes related to debuggers and analytics software, as well as detecting virtual machines and sandboxes.
Source
