A new malware strain called Styx Stealer has emerged, posing a significant threat to online security. Discovered in April 2024, Styx Stealer malware targets popular Chromium and Gecko-based browsers, including Chrome, Firefox, and their derivatives, to pilfer a treasure trove of data. This stolen information can include saved passwords, cookies, auto-fill data (including credit card information, cryptocurrency wallet information, system data (hardware information and external IP address) and screenshots.
Beyond targeting browsers, Styx Stealer also sets its sights on popular instant messaging applications like Telegram and Discord. By compromising these platforms, attackers can gain access to chats of users, potentially exposing sensitive conversations and further compromising their online identity.
Styx Stealer Malware Analysis in Detail
Styx Stealer was designed by a Turkish cybercriminal who goes by the name “Sty1x” and is sold via Telegram or a dedicated website at prices ranging from $75 per month to $350 for unlimited access.
Check Point Research claimed that it discovered the Styx Stealer thanks to a critical error committed by its developer. During the debugging process, the developer made a crucial mistake – they failed to implement proper operational security (OpSec) measures. This resulted in leaking sensitive data from their own computer directly to the researchers.
This leaked information included details about Styx Stealer’s capabilities, its potential targets, and even the developer’s earnings. More importantly, it revealed a connection to the developer of another notorious malware strain – Agent Tesla.
Forensic analysis further uncovered a link between Styx Stealer’s developer (Sty1x) and a Nigerian actor operating under the aliases Fucosreal and Mack_Sant. This individual was previously involved in a campaign utilizing Agent Tesla malware, targeting Chinese firms in various sectors like metallurgy, transportation, and production.
This connection suggests a potential collaboration between cybercriminals, creating an even more formidable threat.
Lineage of Theft: Styx Stealer’s Ancestry
The research identified Styx Stealer as a derivative of Phemedrone Stealer, a malware strain known for its browser-targeting capabilities. Styx Stealer inherits the core functionalities of Phemedrone, but it introduces some significant improvements. These improvements include:
- Auto-start functionality, allowing the malware to launch automatically upon system startup.
- Crypto-clipping functionality enables the theft of cryptocurrency wallet information.
These enhanced features make Styx Stealer a more potent threat, capable of causing significant financial losses to unsuspecting victims.
Potential Impact of Styx Stealer
The information stolen by Styx Stealer can be used for various malicious purposes. Here are some of the potential consequences of an infection:
- Identity Theft: Stolen passwords and personal data can be used to impersonate you online, allowing attackers to access your accounts, make fraudulent purchases, or damage your reputation.
- Financial Loss: Cryptocurrency wallet information can be used to steal your digital currency holdings.
- Data Breaches: Compromised instant messaging conversations could reveal sensitive information that could be used for blackmail or other malicious purposes.
- Targeted Attacks: Stolen system data could be used to launch more targeted attacks against your device or network.
The Future of Styx Stealer
The discovery of Styx Stealer serves as a stark reminder of the constant threat posed by malware developers. While the leak of information by the developer has likely disrupted the initial operations of Styx Stealer, it’s crucial to remain vigilant.
Cybercriminals are known for adapting their tactics, and it’s possible that Styx Stealer could resurface with improved functionalities or targeting strategies. By staying informed about the latest threats and implementing robust security measures, users can stay ahead of the curve and protect their valuable online data.
