Site icon Check Point Blog

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove and their Big Reveal

Key Takeaways

In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations. CPR’s recent discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer, highlights this reality. The investigation revealed critical missteps by its developer, including a significant operational security (OpSec) lapse that leaked sensitive information from his own computer.

The Emergence of Styx Stealer

Styx Stealer is derived from Phemedrone Stealer, notorious for exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen.

While it inherits Phemedrone’s core functions, such as stealing saved passwords, cookies, auto-fill data from browsers, cryptocurrency wallet data, and instant messenger sessions, Styx Stealer also includes enhanced capabilities: a persistence mechanism, clipboard monitor and crypto-clipper, additional sandbox evasion, and anti-analysis techniques. The crypto-clipper functionality makes Styx Stealer capable of stealing crypto currency during a transaction, by substituting the original wallet address saved in the clipboard with the attacker’s wallet address. The persistence mechanism ensures that the malware remains active on the victim’s system even after a reboot, allowing the crypto-clipper to operate continuously, and increasing the chances of successful cryptocurrency theft.

While Phemedrone Stealer is open-source and free, Styx Stealer is sold via subscription. Subscriptions range from $75 monthly to $350 for a lifetime license, with transactions handled through the Telegram account @Styxencode.

Figure 1 – Styx Stealer pricing from the styxcrypter[.]com website.

Agent Tesla Campaign and OpSec Failure

Agent Tesla malware is an advanced remote access Trojan (RAT) specializing in the theft of sensitive information from infected machines.

In March 2024, we identified a spam campaign distributing Agent Tesla malware, which used the Telegram Bot API for data exfiltration. Our investigation from the Agent Tesla bot which we monitored revealed that the attacker primarily targeted representatives of Chinese companies as concluded from the IP and email addresses seen which indicated sources of a Chinese origin.

CPR also identified affected companies in India, the UAE, and the Philippines. The victims span multiple business sectors, including:

Extracting the Telegram Bot token from the malware led us to the Telegram bot, created by the user ‘Fucosreal’. During our monitoring of this bot, we intercepted an unusual document resembling Phemedrone Stealer but labeled as “Styx Stealer.” This document included a screenshot of the Visual Studio IDE with the project “PhemedroneStealer,” containing a Telegram Bot token and chat ID matching the Agent Tesla sample.

Figure 2 – A screenshot of the Styx Stealer developer’s desktop during debugging.

It became clear that this leak occurred from the computer of the Styx Stealer developer, also known as Sty1x. Using the data from the leak, we discovered two Telegram accounts used by the developer (@styxencode, @cobrasupports), his email addresses, phone numbers, his approximate location in Turkey and movements over a certain period. This also revealed Sty1x’s communication with customers and other cybercriminals, including Fucosreal.

Figure 3 – Accounts and nicknames of the Styx Stealer developer and the Agent Tesla threat actor.

We identified a total of 54 customers and 8 cryptocurrency wallets, presumably belonging to Sty1x, that were used to receive payments. The total amount received was about US$9,500 in only the two months following the start of Styx Stealer sales.

From Sty1x’s correspondence, we learned that Fucosreal, using another Telegram account @Mack_Sant, provided the developer with a Telegram bot token to integrate into Styx Stealer for stolen data exfiltration through Telegram.

Connecting the Dots

Debugging and testing the malware on their own devices led to data leaks first from the Styx Stealer developer’s computer and then from Fucosreal’s system.

The way CPR connected the dots was to utilize simple investigative research. On March 26, 2024, Fucosreal launched a spam campaign using the Agent Tesla malware to target global victims, including our clients. Our research was sparked by this particular Agent Tesla sample. By decrypting it, we were able to extract the Telegram bot token (@joemmBot) used for data exfiltration. This allowed us to monitor the bot and collect information about the victims. On April 11, Sty1x and Fucosreal discussed incorporating the Telegram data-sending function into Styx Stealer, although we were unaware of this development at the time. The same day, Sty1x created a new bot (@kralboting_bot) for testing Telegram Bot API in Styx Stealer. By April 14, Fucosreal had provided Sty1x with the @joemmBot token for use in Styx Stealer. Later that day at 17:01, our monitoring efforts paid off when we intercepted an archive containing data from Styx Stealer’s debug run on Sty1x’s computer, revealing, among other things, his approximate location in Turkey, and the token for the second bot (@kralboting_bot).

Following the discovery of the second bot token, we intensified our monitoring efforts. Sty1x compiled a new Styx Stealer sample using the @kralboting_bot token and sent it to Fucosreal, who then ran it on his computer. On April 16 at 16:10, we intercepted another archive, this time containing data from Fucosreal’s PC. This data revealed his approximate location in Nigeria, his email addresses, and other intelligence data further aiding in his de-anonymization.

Finally, on April 17, 2024, Fucosreal launched another spam campaign using the Styx Stealer sample with the @joemmBot token previously used in the Agent Tesla campaign.

Figure 4 – Timeline of operations for the Styx Stealer developer and the Agent Tesla threat actor.

By the morning of April 17, our telemetry detected an attack using this build of Styx Stealer. Fortunately, this malicious campaign completely failed, and we did not find a single real victim among our company’s clients or other users.

Conclusion and recommendations

This campaign was notable for its use of the Telegram Bot API for data exfiltration, leveraging Telegram’s infrastructure instead of traditional command-and-control (C&C) servers, which are more easily detectable and blockable. However, this method has a significant flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token provides access to all data sent via the bot, exposing the recipient account.

 

Our discovery of Styx Stealer and the intelligence gleaned from the developer’s operational security lapse underscores the importance of vigilance in cyber security. The case of Styx Stealer is a compelling example of how cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign.

Engaging in cybercriminal activities makes it extremely challenging to remain completely hidden. Constant surveillance of the cybercriminal community means that the slightest mistake can lead to the de-anonymization and exposure of not only the individuals involved but also their associates, as demonstrated in this case. Even if these criminals are not arrested after being exposed, they will be fully aware that their activities will be under close watch. Continuing their criminal actions only strengthens the evidence against them. In the past, some criminals have ceased their operations after our reports.

To mitigate the risks of being affected by such threats, it is essential to:

Protections

Check Point customers remain protected against the threats described in this research.

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and protect against the type of attacks and threats described in this report.

For the full technical report and following the investigation step-by-step, you’re welcome to visit our CPR blog with the detailed article.

Exit mobile version