Check Point Research uncovered Styx Stealer, a new malware variant derived from Phemedrone Stealer that can harvest browser data, messaging sessions, and cryptocurrency wallets, and is sold via styxcrypter[.]com. The investigation reveals an OpSec lapse by the Styx Stealer’s developer linked to the Agent Tesla actor Fucosreal, leaking extensive intelligence on actors and operations.
#StyxStealer #Styxcrypter #PhemedroneStealer #AgentTesla #Fucosreal #Mack_Sant
#StyxStealer #Styxcrypter #PhemedroneStealer #AgentTesla #Fucosreal #Mack_Sant
Keypoints
- Styx Stealer is a new malware variant that steals browser data, instant messaging sessions (Telegram/Discord), and cryptocurrency information.
- The developer is linked to Fucosreal, an Agent Tesla threat actor involved in a spam campaign targeting Check Point customers.
- An operational security lapse leaked sensitive information about the developer and the malware’s operations, including Telegram bot tokens and customer data.
- Styx Stealer is based on an older version of Phemedrone Stealer but adds features such as auto-start, clipboard monitoring, and crypto-clipper, plus sandbox/anti-analysis techniques.
- The malware is distributed via styxcrypter[.]com with subscription pricing and manual Telegram-based ordering (e.g., @styxencode).
- The Styx Stealer campaign against Check Point customers did not produce any confirmed victims, but it revealed extensive actor connections and data leaks.
- CPR’s teardown traced a chain of actors (Styx1x, Mack_Sant, Fucosreal) and exposed Telegram bot tokens and accounts used to exfiltrate data.
MITRE Techniques
- [T1547] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder – Auto-start is implemented by adding a new entry to the registry key “SOFTWAREMicrosoftWindowsCurrentVersionRun” where the name of the entry is specified in the stealer’s configuration. ‘Auto-start is implemented by adding a new entry to the registry key SOFTWAREMicrosoftWindowsCurrentVersionRun where the name of the entry is specified in the stealer’s configuration.’
- [T1115] Clipboard Data Manipulation – Clipboard monitoring and replacement of cryptocurrency addresses. ‘Monitoring and replacing clipboard content to steal cryptocurrency addresses.’
- [T1497] Virtualization/Sandbox Evasion – Detecting and evading virtual machines and sandbox environments. ‘Detecting and evading virtual machines and sandbox environments.’
- [T1041] Exfiltration Over C2 Channel – Using Telegram for data exfiltration. ‘Using Telegram for data exfiltration.’
- [T1055] Process Injection – Injecting into processes to evade detection. ‘Injecting into processes to evade detection.’
- [T1003] Credential Dumping – Stealing saved passwords, cookies, and auto-fill data from browsers. ‘Stealing saved passwords, cookies, and auto-fill data from browsers.’
- [T1213] Data from Information Repositories – Gathering data from browser extensions and cryptocurrency wallets. ‘Gathering data from browser extensions and cryptocurrency wallets.’
- [T1562.001] Impair Defenses – Terminating security tools during analysis (e.g., Wireshark, HTTP Debugger). ‘Check for running processes of Wireshark and HTTP Debugger, and terminate them if found.’
- [T1070.004] Indicator Removal on Host – Self-deletion upon VM/sandbox detection. ‘Self-deletion function in Styx Stealer.’
Indicators of Compromise
- [Hash] 088bc96742dd7eaab4563a1830b9ca74cc2fa7a933b1b89485ddfc09b18f1bae – Agent Tesla TAR archive used in a malicious spam campaign.
- [Hash] 019b1767e76539b91fdb7f3feb76457f8ca509dec83bbb0ecddbe49139da25a3 – POlist.exe loader referenced in the Gmail/Archive distribution chain.
- [Hash] 9ea494b525c4676e63f943e2d1dba751c377b9138613003c80d14ddfaed6883e – Styx Stealer binary observed in the POlist-based distribution.
- [Domain] styxcrypter[.]com – Website selling Styx Stealer/Styx Crypter; first ads appeared April 2024.
- [URL] http://playerenterprises[.]org/Documental/uploads/661f19607b27c.txt – URL used to load Styx Stealer via PoList loader.
- [File Name] POlist.exe – Malicious loader binary used in distribution.
- [File Name] Styx-Stealer.exe – Main Styx Stealer binary observed during debugging/distribution.
- [Account] Telegram usernames – @joemmBot, @styxencode, @Mack_Sant, @cobrasupports – Accounts involved in token sharing and customer communications.
- [URL] https://www.youtube.com/channel/StyxDeveloper-ie7je – Styx Stealer demo content and branding involved in marketing.
- [CryptoWallet] Bitcoin – 1PbfzBuGwkx5dYJJkCZvhU9pAh3r3TwFvJ – Example BTC wallet address used for payments.
- [CryptoWallet] Monero – 46NJXqcrDYAhmSmpzRqaV9BqMKcCzuTMzH4dKqUyZSGx7w9hLULnmsTFeJo44Zgg2TUgrFoV97wJwUpvgQ6NYkNV8k7cRuW – Example Monero wallet address used for payments.