Styx Stealer (Infostealer) – Malware

Overview

In the ever-evolving world of cybercrime, malware developers constantly push the boundaries of sophistication, creating tools designed to infiltrate, extract, and exploit sensitive data. Among the latest discoveries is Styx Stealer, a potent information-stealing malware with capabilities that extend beyond typical credential theft. Derived from the notorious Phemedrone Stealer, Styx Stealer targets a broad range of data, including browser credentials, cryptocurrency wallets, and instant messenger sessions on platforms like Telegram and Discord. Its advanced features, including a crypto-clipper and persistent infection mechanisms, make it a formidable threat in the cybersecurity landscape.

What sets Styx Stealer apart from its predecessors is not only its technical advancements but also its integration with popular communication tools like Telegram for exfiltrating stolen data. This approach allows the malware to bypass conventional detection methods that monitor traditional command-and-control servers. Furthermore, Styx Stealer operates as a commercial product, offered to cybercriminals through a subscription model. Priced between $75 per month and $350 for a lifetime license, it is marketed via Telegram, where transactions are conducted under the radar.

Targets

Information

Individuals

Manufacturing

How they operate

Initial Infection and Execution

The malware primarily spreads through phishing campaigns, often delivered via malicious email attachments or links. When the victim clicks on a deceptive link or opens an infected document, the malware is executed. Styx Stealer relies on user interaction to execute its payload, a typical method of entry for many information stealers. Once executed, it runs in the background without significant signs of infection, avoiding detection by many traditional antivirus programs.

Data Collection and Harvesting

After gaining access to the victim’s system, Styx Stealer begins collecting valuable data. Its primary function is to steal browser data, including stored passwords, cookies, and auto-fill data. This data often provides attackers with easy access to a victim’s online accounts, such as banking, email, and social media platforms. Styx Stealer also targets cryptocurrency wallets, extracting the private keys and transaction data stored in browser extensions or local wallet files. This makes the malware particularly dangerous for users engaged in cryptocurrency transactions, as it can steal funds directly from the victim’s wallet.

In addition to browser data, Styx Stealer has advanced functionality for targeting instant messaging services. It can extract chat logs from platforms such as Telegram and Discord, along with authentication tokens, which may be used for future exploitation. The malware’s ability to infiltrate messaging apps makes it a threat to both personal and business communications, as it could expose private conversations and other sensitive information.

Persistence and Evasion

One of Styx Stealer’s key technical features is its persistence mechanism. After the initial infection, the malware ensures that it remains active on the victim’s system, even after a reboot. This persistence is achieved by modifying registry settings or placing itself in system startup directories, enabling it to automatically execute whenever the system is restarted. By maintaining a foothold on the infected machine, Styx Stealer continues its operation and increases the chances of collecting valuable data over time.

To evade detection, Styx Stealer employs several anti-analysis techniques. It includes anti-sandboxing features that help it detect when it’s being executed in a virtualized environment, commonly used by researchers and security tools. Additionally, it uses obfuscation techniques to hide its presence from antivirus software and malware detection systems. This makes it difficult to analyze the malware’s behavior in a controlled environment, allowing it to operate undisturbed in the wild.

Crypto-Clipping Functionality

One of the most dangerous aspects of Styx Stealer is its crypto-clipper functionality. The malware has the ability to monitor the victim’s clipboard, looking specifically for cryptocurrency wallet addresses. When the victim copies a wallet address, Styx Stealer replaces it with an address controlled by the attacker. This allows the attacker to steal cryptocurrency during legitimate transactions, making it particularly effective against users who frequently transfer funds using crypto wallets. This feature adds an additional layer of complexity to detecting Styx Stealer’s actions, as the victim may not realize that the wallet address was altered until it’s too late.

Exfiltration and Data Transmission

Once the malware has collected sensitive information, it needs to transmit the data back to the attacker. Styx Stealer uses Telegram’s Bot API as an exfiltration method, a technique that bypasses traditional command-and-control (C2) communication channels, which are more likely to be detected and blocked. The use of Telegram for exfiltration allows the malware to send stolen data to the attacker’s Telegram bot, making it harder for defenders to track the malware’s communication patterns.

Each sample of Styx Stealer is configured with a unique Telegram bot token, allowing it to send data to specific channels controlled by the attacker. This method of data exfiltration is both efficient and stealthy, as it utilizes a widely used communication platform rather than a custom C2 infrastructure that might be flagged by security tools.

Monetization and Sales

While Phemedrone Stealer is open-source and freely available, Styx Stealer operates on a subscription-based model. This means that the developer profits from selling access to the malware, with pricing ranging from $75 for a monthly subscription to $350 for a lifetime license. Transactions are handled via Telegram, a common platform for cybercriminal transactions. This monetization method not only sustains the developer’s operations but also allows the malware to evolve, with continued support and updates for buyers.

MITRE Tactics and Techniques

1. Initial Access

T1204: User Execution
Styx Stealer is often delivered through phishing emails or malicious documents that rely on user interaction to execute the malware.

2. Persistence

T1547: Boot or Logon Autostart Execution
Styx Stealer incorporates a persistence mechanism that ensures it remains active on the victim’s system even after rebooting, enabling long-term access for the attacker.

3. Credential Access

T1555: Credentials from Password Stores
The malware targets browser password stores to extract saved credentials, allowing attackers to access sensitive online accounts.

T1110: Brute Force
Although not explicitly brute-forcing passwords, Styx Stealer may attempt to collect credentials for automated use.

4. Discovery

T1083: File and Directory Discovery
Styx Stealer scans the system for sensitive files, including configuration files of cryptocurrency wallets and messenger applications.

T1012: Query Registry
The malware examines the Windows Registry for configuration settings or valuable information.

5. Collection

T1114: Email Collection
It may harvest email credentials and metadata stored in browsers or email clients.

T1560: Archive Collected Data
Styx Stealer compiles collected data into compressed formats for easier exfiltration.

6. Exfiltration

T1041: Exfiltration Over C2 Channel
Styx Stealer uses Telegram as an alternative to traditional command-and-control (C2) channels, exfiltrating data via Telegram Bot APIs.

T1022: Data Encrypted
The data is often encrypted during transmission to evade detection.

7. Evasion

T1027: Obfuscated Files or Information
Styx Stealer employs obfuscation techniques to evade detection by antivirus tools.

T1562: Impair Defenses
It includes anti-analysis techniques and sandbox evasion mechanisms to hinder analysis.

8. Impact

T1490: Inhibit System Recovery
By maintaining persistence and compromising key files, Styx Stealer reduces the likelihood of quick recovery or malware removal.

References:

• Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove and their Big Reveal