In a recent discovery by security researchers at Check Point Research (CPR), a sophisticated new malware tool called Styx Stealer was unmasked due to a major operational security error made by the threat actor behind it. This oversight provided valuable information about the creator of the malware, who was identified as an individual based in Turkey with ties to an Agent Tesla campaign, one of the longest-standing and most prolific information stealers still in operation. The blunder also allowed researchers to gather personal details such as Telegram accounts, contacts, emails, and cryptocurrency transfers amounting to $9,500 from buyers of Styx Stealer and another encryption tool over a two-month period.
The incident highlighted how threat actors can inadvertently reveal their identities through operational security lapses, despite efforts to remain anonymous. Similar cases have occurred in the past, leading to the exposure of threat actors and their malicious activities. For example, Mandiant was able to attribute an attack to North Korea’s Lazarus Group after a security oversight exposed the threat’s actual IP address in North Korea. Similarly, Secureworks unveiled the personas behind Iranian threat group Cobalt Mirage by exploiting operational security mistakes made by the threat actors involved. In 2021, IBM’s X-Force threat intelligence group gained valuable insights into Iran’s “Charming Kitten” cyber-espionage group due to multiple operational security failures on the threat actor’s part.
The CPR researchers unraveled the identity of Styx Stealer’s creator by analyzing a malicious file linked to an Agent Tesla campaign recovered from a spam campaign in March. Through Telegram’s Bot API, they extracted vital information that led them to monitor the threat actor’s Telegram bot. Subsequent discovery of a malicious archive file containing a document named “Styx Stealer” and a screenshot of the developer working on the project confirmed their suspicions. The analysis revealed that the malware author, operating under the handle Sty1x, collaborated with an individual identified as @Mack_Sant based in Lagos, Nigeria, who was responsible for the Agent Tesla campaign. Exchanges between the two demonstrated the testing of both Styx Stealer and Agent Tesla for data exfiltration purposes.
Styx Stealer, derived from an earlier malware tool known as “Phemedrone Stealer,” targets vulnerabilities such as CVE-2023-36025, a Windows Defender SmartScreen vulnerability discovered earlier this year. The malware is designed to steal data from various sources including browser extensions in Chromium-based browsers, cryptocurrency wallets, files in specific folders, and session information from messaging and gaming platforms like Discord, Telegram, and Steam. To evade detection, Styx Stealer includes obfuscation techniques and checks for certain processes to terminate, as well as the ability to determine if it is operating within a virtual machine environment. Additionally, the malware is programmed not to execute in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan.
“The case of Styx Stealer serves as a reminder that even sophisticated cybercriminal operations can be compromised due to simple security oversights,” noted CPR researcher Alexey Bukhteyev. This incident underscores the importance of maintaining robust operational security practices to prevent inadvertent exposure and maintain the anonymity of threat actors in the ever-evolving landscape of cybersecurity threats.