Listen to this story
Researchers at Cyble Research Labs (CRL) have discovered a new phishing site that uses a windows executable file (.exe) to spread Typhon Stealer on victims’ devices. The file named “systemupdate.exe” is executed while opening a link to the counterfeit website.
The real LNK.Gen shortcut is masked behind the executable file “systemupdate.exe,” designed to trick users into launching the malicious code via a phishing page. The researcher discovered that the phishing page tried to masquerade as Lindesbergs Kommun (a municipality in Örebro County in central Sweden) website and tricked users into revealing sensitive information.
Cyble Research Labs (CRL) released a complete analysis of the TA (threat actor) and shared its recommendations to create the first line of defense against the attackers.
An alarming TA activity
Sensitive information such as names, Social Security Number (SSN), and Credit/Debit card details, were being harvested and delivered to the Threat Actor’s (TAs) server in the campaign.
The TAs lured unsuspecting users to a phishing website and tricked them into opening a .lnk file, which executed a PowerShell command in the backend and automatically downloaded the Typhon Stealer malware from the remote server.
In its research, Cyble’s research wing explained that whenever a user visited the phishing page, it opened a payment form, asking users to pay 300 SEK (28 USD). It also asked users to provide sensitive information like their name, Social Security Number (SSN), ORT, etc.
After entering the information in the form, the hacker used Formspree to receive the information, reducing their overall cost of not requiring any coding in the backend.
Cyble’s report on Typhon Stealer
The Cyble Research Labs (CRL) researcher thoroughly analyzed the TAs and its nature. While downloading the file, it was revealed that the malicious program was based on Prynt Stealer, an underground sale item able to steal credentials and data from browsers, apps, and other services (including Telegram).
The authors of the malware also added a module to deliver XMRig CryptoMiner, which was in the development stage, and shared a Telegram channel to communicate with prospective clients interested in buying Typhon Stealer services.
The TAs also shared its packages for purchasing Typhon Stealer — starting with a lifetime subscription model for $50 for 100 installs and the biggest package for $1,000 for 20,000 installs.
How does TAs use anti-analysis to prevent detection?
To prevent the threat detection system from finding the malware, the TA used Anti-Analysis checks to determine if the victim’s devices can locate the malware.
If it discovered such security programs, the stealer would use a binary flag with the value “True”; and terminate itself with a fake error message. The malware used GetModuleHandle() function to detect DLL files related to sandbox or antivirus programs and also looked for applications that could prevent malware analysis.
Additionally, the stealer used only one instance of malware, and if a mutex was already running on the victim’s device, the malware terminated itself from execution. It could also spread through system files via a mounted drive and copies itself to the startup folder, thus enabling it whenever a user logged in to the device.
Typhon Stealer and Third-Party Technologies
Typhon Stealer is capable of combining and utilizing malware strains to exploit systems. It can use hybrid versions of virus, worm, trojan, spyware, adware, keyloggers, Klez, MSBlast, Netsky, and spyware.
It can also compromise Windows systems, Steam accounts, FTP applications, and more. Here is a look at Typhon Stealer and how it uses third-party services to steal information from victim devices.
Using Clipper, TAs can replace the wallet address in the victim’s cryptocurrency accounts. Typhon Stealer can perform clipping on the following Cryptocurrencies — Ethereum, Bitcoin,
XRP, Stellar, Monero, Bitcoin Cash, and Litecoin.
Typhon Stealer can use keylogging and collect users’ login information, including their passwords and IDs. It used the traditional keylogging method to create separate threats to save users’ data under the “logs\\keylogger\\” folder.
The TA can target three browsers — Chromium-based browsers, Microsoft Edge, and Firefox-based browsers. It uses the browsers’ “Local\AppData\Browser” folder, steals login information to various websites, to steal data, files, and money from their accounts.
Typhon Stealer can use two FTP applications — FileZilla and WinSCP. In both instances, it steals data from “sitemanager.xml” and “recentservers.xml.” By using the “Hosts.txt” to save the stolen data for exfiltration.
The TAs were capable of stealing funds from crypto wallets. Cyble explained that the “stealer created a folder named “Wallets” and then enumerated a list of BASE64 encoded wallets to identify if a wallet was present on the victim’s system.
It then enabled Typhon Stealer to find digital wallets on the victim’s system. And by using keylogging and retrieving login information from the victim’s browser, the stealer can move the funds to a different account.
The stealer can also grab files from the victim’s computer’s directories, folders, and cloud storage systems. However, the only limitation is the stealer can only capture data up to 5 MB.