Threat Research

Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities

Securonix

Typhon Reborn V2 is a rebuilt information stealer with significantly enhanced anti-analysis, anti-VM, and obfuscation capabilities, designed to evade security researchers and detections. It exfiltrates collected data via Telegram and is sold cheaply on underground forums, suggesting broader deployment in future attacks. Hashtags: #TyphonReborn #Telegram

Keypoints

  • Typhon Reborn Version 2 (V2) was released in January with major codebase rewrites and improved capabilities.
  • V2 adds extensive anti-analysis and anti-virtualization features to thwart sandboxing and debugging.
  • Sample activity and purchases indicate Typhon Reborn V2 will likely appear in future attacks.
  • The malware is sold on underground forums for $59/month or a $540 lifetime license, making it inexpensive relative to peers.
  • It collects a wide range of sensitive data and exfiltrates it via the Telegram API.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis and anti-VM routines, including checks for virtualization, hostings, and debuggers to avoid analysis. Quote: ‘The latest version has significantly more anti-analysis and anti-virtualization capabilities…’
  • [T1057] Process Discovery – The malware enumerates currently running processes and checks for analysis tools. Quote: ‘The malware then obtains the list of currently running processes on the system and checks the executable path … against the following list of executable file names associated with common analysis tools.’
  • [T1562] Impair Defenses – Checks for security-product DLLs (e.g., Sandboxie, Avast, Comodo) to evade protections. Quote: ‘the presence of the following DLLs associated with common security products that may be installed.’
  • [T1012] Query Registry – Scans the Windows Registry for keys referencing analysis tools. Quote: ‘The malware also checks the Windows Registry … to determine if any subkeys reference the following common analysis tools:’
  • [T1047] Windows Management Instrumentation – Uses WMI to collect system information (GPU, CPUID, computer system details). Quote: ‘The malware uses Windows Management Instrumentation (WMI) to retrieve information about the Graphics Processing Unit (GPU) on the system.’
  • [T1518] Software Discovery – Enumerates installed software on the system. Quote: ‘A list of installed software is also generated using WMI and saved …’
  • [T1083] File and Directory Discovery – Enumerates drives and target directories to copy data. Quote: ‘Drive enumeration. Each drive that meets this criterion has its root directory added to a list of target directories.’
  • [T1113] Screen Capture – Captures screenshots of the infected system for exfiltration. Quote: ‘The malware also captures screenshots from infected systems saved in the same directory as the stealer logs.’
  • [T1555] Credentials in Files – Attempts to collect saved passwords/tokens from applications and files (e.g., Wi-Fi credentials stored in Wifi Passwords.txt). Quote: ‘The stealer also collects saved Wi-Fi network information and stores it …’
  • [T1041] Exfiltration Over C2 Channel – Data is compressed and exfiltrated via Telegram; overview and data messages are sent. Quote: ‘the data is stored in a compressed archive and exfiltrated via HTTPS using the Telegram API’ and ‘The malware then sends another Telegram message containing the data being exfiltrated…’
  • [T1070] Indicator Removal on Host – SelfRemove functionality to delete traces after exfiltration. Quote: ‘SelfRemove.Remove() to terminate execution.’
  • [T1027] Obfuscated/Compressed Files and Information – String obfuscation using Base64 and XOR to hide strings and logic. Quote: ‘The malware decodes the Base64, generating a UTF-8 character-encoded string … deobfuscated using an XOR key …’

Indicators of Compromise

  • [Domain] ip-api.com – used to determine hosting/hosting environment; example: ‘hxxp://ip-api[.]com/line/?fields=hosting’
  • [Domain] api.ipify.org – used to obtain the infected host’s public IP; example: api.ipify.org
  • [URL] http://www.google.com – connectivity check; example: http://www.google.com
  • [File] UserData.txt – stealer log containing system data; example: UserData.txt
  • [File] BuildID.txt – contains the Telegram channel information for the malware developer; example: BuildID.txt
  • [File] InstalledSoftwares.txt – list of installed software; example: InstalledSoftwares.txt
  • [File] Drive Info.txt – information about drives; example: Drive Info.txt
  • [File] Running Processes.txt – list of running processes; example: Running Processes.txt
  • [File] Available Networks.txt – wireless networks discovered; example: Available Networks.txt
  • [File] Wifi Passwords.txt – saved Wi‑Fi credentials; example: Wifi Passwords.txt
  • [Process] ollydbg.exe, ida64.exe, processhacker.exe – common analysis tools detected during anti-analysis checks
  • [DLL] SbieDLL.dll, SxIn.dll, Sf2.dll, Snxhk.dll, cmdvrt32.dll – security-product DLLs used in defense evasion checks
  • [File] detonate, virus, test, malware, maltest – filenames used to detect execution context

Read more: https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint