Styx stealer creator’s OPSEC flaw reveals customer list and profit details

21 August 2024Ravie LakshmananCyber ​​espionage / threat intelligence

In an operational security breach (OPSEC) case, the operator of a new information stealer called Styx Stealer leaked data from his own computer, including customer details, winning information, nicknames, phone numbers and email addresses.

Styx Stealer, a derivative of the Phemedrone Stealer, can steal browser data, Telegram and Discord instant messaging sessions, and cryptocurrency wallet information, cybersecurity firm Check Point said in an analysis. The malware first appeared in April 2024.

“Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features of newer versions, such as sending reports to Telegram, report encryption, and more,” the company noted.

“However, the developer of Styx Stealer has added some new features: autostart, clipboard monitor and crypto clipper, additional sandbox bypass and anti-analysis techniques, and has reimplemented sending data to Telegram.”

Offered for $75 per month (or $230 for three months or $350 for a lifetime subscription) on a special website (“styxcrypter[.]com”), potential buyers must set up a Telegram account (@styxencode) to license the malware. The account is linked to a threat actor from Turkey who appears in cybercrime forums under the pseudonym STY1X.

Check Point stated that it was able to uncover links between STY1X and a March 2024 spam campaign that distributed the “Agent Tesla” malware targeting various sectors in China, India, the Philippines, and the United Arab Emirates. The activity of “Agent Tesla” was attributed to a threat actor called Fucosreal, whose approximate location is in Nigeria.

This was possible because STY1X debugged the stealer on his own machine using a Telegram bot token provided by Fucosreal. This serious bug allowed the cybersecurity firm to identify up to 54 customers and 8 cryptocurrency wallets that likely belonged to STY1X and were allegedly used to receive the payments.

“What was notable about this campaign was the use of the Telegram Bot API for data exfiltration, leveraging Telegram's infrastructure instead of traditional command-and-control (C&C) servers, which are easier to detect and block,” Check Point noted.

“However, this method has a significant flaw: each malware sample must contain a bot token for authentication. Decrypting the malware to extract this token gives access to all data sent via the bot and can thus reveal the recipient account.”

The disclosure comes against the backdrop of the emergence of new types of stealer malware such as Ailurophile, Banshee Stealer and QWERTY, while well-known stealers such as RedLine are used in phishing attacks targeting Vietnamese oil and gas companies, industrial, electrical and heating equipment manufacturers, as well as the paint, chemical and hotel industries.

“RedLine is a known thief that targets login credentials, credit card data, browsing history and even cryptocurrency wallets,” said Symantec, which is owned by Broadcom. “It is actively used by numerous groups and individuals around the world.”

“Once installed, it collects data from the victim's computer and sends it to a remote server or Telegram channel controlled by the attackers.”