In a startling turn of events, the creator of the new infostealer malware Styx Stealer has inadvertently compromised their own computer, leaking sensitive data including client information, profits, nicknames, phone numbers, and email addresses. This incident, uncovered by Check Point analysts, serves as a stark reminder of the importance of robust cybersecurity practices, even for those operating on the wrong side of the law.
The Rise of Styx Stealer: A New Threat in the Cybercrime Landscape
Styx Stealer, which emerged in April 2024, is a variant of the Phemedrone stealer. This sophisticated malware is designed to pilfer data from browsers, Telegram and Discord sessions, and cryptocurrency wallets. Check Point researchers note that while Styx Stealer lacks some features present in newer versions of Phemedrone, such as Telegram reporting and report encryption, it introduces several unique capabilities:
- Auto-start functionality
- Clipboard monitor and crypto clipper
- Enhanced sandbox evasion and anti-analysis methods
- Reimplemented data transmission to Telegram
The Economics of Cybercrime: Styx Stealer’s Business Model
Styx Stealer was distributed through its dedicated website (styxcrypter[.]com), offering “licenses” at varying price points:
- $75 per month
- $230 for three months
- $350 for a lifetime subscription
This pricing structure highlights the commercialization of malware and the growing “Malware-as-a-Service” trend in the cybercriminal underground.
Unraveling the Cybercriminal Network
Investigations by Check Point have linked Styx Stealer to a Turkish threat actor known as STY1X. Notably, STY1X was previously associated with a spam campaign targeting entities in China, India, the Philippines, and the UAE, distributing the Agent Tesla malware. This campaign was attributed to another threat actor, FucosReal, believed to be based in Nigeria.
The Fatal Flaw: Debugging on Personal Machine
STY1X’s critical error occurred when they debugged Styx Stealer on their personal machine using a Telegram bot token provided by FucosReal. This oversight allowed researchers to identify:
- 54 clients of the hacker
- 8 cryptocurrency wallets likely belonging to STY1X
- Personal data including Telegram accounts, email, and other contact information
Innovative Tactics and Their Pitfalls
The Styx Stealer campaign stood out for its use of Telegram’s bot API for data exfiltration, eschewing traditional command-and-control servers. While this approach makes detection and blocking more challenging, it introduces a significant vulnerability: each malware sample must contain the bot token for authentication. Decrypting the malware to extract this token grants access to all data sent through the bot, potentially exposing the recipient’s account.
This incident underscores the critical importance of operational security in cybercrime operations and the potential consequences of even minor oversights. It also highlights the effectiveness of thorough malware analysis in uncovering valuable intelligence about threat actors and their operations. As cybersecurity professionals, we must remain vigilant and adaptable, continuously improving our detection and analysis capabilities to stay ahead of evolving threats in the digital landscape.
