Styx Stealer’s Creator Unmasked Due to Operational Security Error
August 21, 2024
Check Point Research (CPR) has identified the author of a new information-stealing malware, Styx Stealer, thanks to a major operational security mistake by the threat actor. This error allowed the researchers to trace the malware back to an individual based in Turkey who also has ties with the operator of an Agent Tesla campaign, a well-known and widely used information stealer.
The operational security error provided the researchers with a wealth of personal information about the malware developer, including his Telegram accounts, contacts, emails, and details about his cryptocurrency transfers over two months, which amounted to around $9,500. This was the income from the sales of Styx Stealer and a separate encryption tool. Alexey Bukhteyev, a CPR researcher, stated in a recent blog post, "During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer."
This mishap allowed CPR to gather significant intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses. They also obtained similar data about the actor behind the Agent Tesla campaign. Although it's not common, threat actors occasionally reveal themselves due to operational security lapses. When this happens, security researchers seize the opportunity to gather as much information as possible about the threat actor's tactics, techniques, and procedures.
CPR researchers first became aware of the Styx Stealer's author while analyzing a malicious file containing Agent Tesla, recovered from a spam campaign in March. The malware was using Telegram's Bot API for data exfiltration, and the researchers managed to extract the Telegram bot token from it. This allowed them to monitor the threat actor's Telegram bot, leading to the discovery of a malicious archive file with a document titled "Styx Stealer."
The researchers pieced together information that led them to identify the author of Styx Stealer as an individual based in Turkey, using the handle Sty1x, along with several different email addresses and phone numbers. They also found that Sty1x collaborated with an individual based in Lagos, Nigeria, using the handle @Mack_Sant. The researchers were able to recover data from both individuals' computers, which confirmed that @Mack_Sant was the operator of the Agent Tesla campaign that CPR had investigated in March.
The Styx Stealer is an information-stealing malware based on an early version code associated with "Phemedrone Stealer," a malware tool that was used in attacks targeting CVE-2023-36025, a Windows Defender SmartScreen vulnerability. The malware steals data from Chromium-based browser extensions, cryptocurrency wallets, and files within "My Documents" and "Desktop" folders. It can also gather location and system data and steal Discord, Telegram, and Steam sessions.
The malware includes various obfuscation and detection evasion features and is designed not to execute in certain countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan. Bukhteyev stated, "The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights."
Related News
- Windows SmartScreen Security Bypass Vulnerability Exploited Since March Now Patched
- DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks
- Microsoft Addresses Two Exploited Zero-Days in April 2024 Patch Tuesday
- Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
- DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack
Latest News
- Google Addresses Ninth Exploited Chrome Zero-Day Vulnerability of 2024
- Critical Vulnerability in LiteSpeed Cache WordPress Plugin Threatens Millions of Websites
- Critical Authentication Bypass Flaw Detected in GitHub Enterprise Server
- Microsoft's Copilot Studio Exposes Cloud Data Due to SSRF Bug
- Stealthy Msupedge Backdoor Exploits PHP Flaw in Cyber Attack on Taiwanese University
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.