Styx Stealer: A New Cybersecurity Threat
Cybersecurity researchers at Check Point have recently uncovered a new and sophisticated malware named "Styx Stealer." This malicious software is designed to steal data from browsers and instant messaging applications, posing a significant risk to personal and financial information.
Key Threats:
Styx Stealer is particularly dangerous because it allows cybercriminals to collect sensitive data such as personal credentials, financial information, and passwords from compromised systems. The stolen data can then be used in further cyberattacks, for identity theft, or sold on the black market, making such malware a crucial tool in the cybercriminal’s arsenal.
Technical Analysis:
Styx Stealer first emerged on the internet in April 2024. It is an advanced iteration of the Phemedrone Stealer, offering several improvements over its predecessor. The malware specifically targets browsers based on Chromium and Gecko, enabling it to steal saved passwords, cookies, auto-fill data, and cryptocurrency wallet details.
Moreover, Styx Stealer is capable of interfering with Telegram and Discord sessions, compiling system data, and taking screenshots. It also includes advanced features such as auto-start functionality, real-time clipboard monitoring, and crypto-clipping. Notably, it is designed to evade detection by anti-virus programs and sandboxes.
Developed by a Turkish cybercriminal known as "Sty1x," Styx Stealer is sold via Telegram or a dedicated website. Prices range from $75 per month to $350 for unlimited access.
Through forensic analysis, researchers discovered that Sty1x was collaborating with a Nigerian actor using the aliases Fucosreal and Mack_Sant, who had also been involved in an Agent Tesla malware campaign. This operation targeted Chinese companies in various sectors, including metallurgy, transportation, and production.
An operational security lapse by Sty1x led to the exposure of his development work, personal data, and connections within the cybercriminal ecosystem. This discovery unraveled the complex networks of international cybercriminals.
Enhanced Features:
Styx Stealer, derived from the older Phemedrone Stealer, has been enhanced with a crypto-clipper, improved anti-analysis techniques, and a configurable builder featuring a graphical interface. However, an accidental exposure occurred when Sty1x debugged the stealer using a Telegram bot token provided by @Mack_Sant (alias Fucosreal), revealing their identities, email addresses, and cybercriminal networks.
Sty1x marketed Styx Stealer and Styx Crypter through Telegram (@styxencode), accepting payments in Bitcoin, Litecoin, Tron USDT, and Monero. The investigation identified 54 customers and approximately $9,500 in revenue over a two-month period across eight cryptocurrency wallets.
Sophisticated Evasion Techniques:
Styx Stealer employs anti-VM and geo-blocking techniques to avoid detection, particularly in CIS countries, while stealing browser data, cryptocurrency wallet information, and system details.
Despite their efforts, Sty1x and his collaborators did not achieve broad distribution of Styx Stealer, as there are no confirmed victims beyond their own systems and a few security sandboxes.