Phishing Site used to Spread Typhon Stealer

New stealer developing Crypto Miner capabilities

During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.

Upon analyzing the mentioned URL, we identified that it also hosts a phishing page that impersonates Lindesbergs Kommun (a municipality in Örebro County in central Sweden) to steal users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details and sends it to the Threat Actor’s (TAs) server.

When a user opens a .lnk file, it further executes a PowerShell command, downloads Typhon stealer from the remote server, and executes it. The below image shows the content of the .lnk file.

Cyble Research Labs also downloaded the Windows executable and performed a deep dive analysis on it. We observed that this malicious program is based on Prynt Stealer and can steal data from multiple applications. The developer of the stealer has also added a module for delivering XMRig CryptoMiner, which appears to be either in a development stage or the TA who generated this stealer using a builder did not add this functionality.

The TAs has also created a Telegram channel to communicate with the people who want to purchase Typhon stealer services. The below images show the Typhon stealer is updated through a Telegram channel, where the TA is actively working on releasing updates for the stealer. The TA sells this stealer via a lifetime subscription model for $50.

Interestingly, the TA also provides spreading and crypting services for the ones who purchase this stealer, as shown below.

Technical Analysis

Phishing Page Analysis

When the user visits the URL: hxxp://lindesbergparkeringsanmarkning[.]netlify[.], it opens a fake payment form with a name and logo related to Lindesbergs kommun which asks the users to pay 300 SEK(Swedish krona, the national currency of Sweden).

The payment form also asks for users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details.

When users enter their details in the above form page, it sends all the provided details to the server using Formspree through the URL: hxxps://formspree[.]io/f/xknylake.

Formspree is a form backend, API, and email service for HTML forms that sends form submissions via email without needing any coding or a backbend. It provides its services for free or at a very low cost.

After sending the users’ information to the server, the website redirects users to the Formspree acknowledgment page, which acknowledges the submission.

Payload Analysis

Anti-Analysis:

(Sample SHA256: 67afd1f116ffcf84c59bef3d3b925dc82dadebc21f2e8cc39b77892104b9e9ec)

The malware initially performs various Anti-Analysis checks if the TA enabled the Anit-Analysis functionality while building the malware. This stealer will return a binary flag with the value “True” if it detects antivirus applications or a sandbox environment and will terminate itself with a fake error message.

The malware identifies the following DLL files related to sandbox and antivirus programs in the victims’ machine using the GetModuleHandle() function.

SbieDll.dll	Sandboxie
SxIn.dll	360 Total Security
Sf2.dll	Avast Antivirus
snxhk.dll	Avast Antivirus
cmdvrt32.dll	COMODO

This stealer also checks if the following applications are running to prevent analysis of malware:

• processhacker
• netstat
• netmon
• tcpview
• Wireshark
• filemon
• regmon
• cain

The stealer calls the CheckRemoteDebuggerPresent() function to identify the process being debugged. It also uses Windows Management Instrumentation (WMI) queries to detect the Virtual Environment, as shown below.

The stealer also checks for a mutex named “GOJJL2LPIZM04XC0NQ4I” to ensure that only one instance of malware is running in the victims’ machine. The malware terminates its execution if the mutex is already present.

The stealer also has the capability of spreading through mounted drives. It copies itself as a “USB-Service” to the mounted drives.

The stealer can also copy itself into the startup folder to establish persistence. Copying files to the startup folder enables the TA to execute the stealer upon user login automatically. 

The stealer creates a hidden folder in the Local/AppData directory to store the stolen data. For naming this folder, it creates an MD5 hash using a concatenated string which consists of “Username, Computer Name, Culture, Processor Name, Video Controller Name.”

Under this, it creates another folder that will be named using the “Username + @ + Computer Name+ _ +Culture” string.

Clipper

Clipper enables TAs to steal cryptocurrency by replacing the wallet address in the victim’s clipboard with their own wallet address. Typhon Stealer can perform clipping activities on the following Cryptocurrencies:

• Ethereum (ETH)
• Bitcoin (BTC)
• XRP (XRP)
• Stellar (XLM)
• Monero (XMR)
• Bitcoin Cash (BCH)
• Litecoin (LTC)

The figure below shows the Base64 encoded RegEx values to identify respective crypto addresses from the clipboard.

Keylogger

The stealer can also perform keylogging activities. It creates a separate thread for this functionality and saves the victim’s data under the “logs\\keylogger\\” folder. The figure below shows the Keylogger functionality in the stealer.

Browsers

This Typhon sample targets three browsers:

• Chromium-based browsers
• Microsoft Edge
• Firefox-based browsers

Typhon stealer targets over 30 Chromium-based browsers, 5+ Mozilla-based browsers, and MS Edge. Every browser stores a file in the Local\AppData\Browser folder with sensitive information such as login credentials, cookies, autofill data, etc. The Typhon stealer target these files for stealing data. The figure below shows the browser directories targeted by the stealer.

FTP Applications

Typhon stealer targets two FTP applications:

• FileZilla
• WinSCP

FileZilla is a free and open-source, cross-platform FTP application. It steals the data from “sitemanager.xml” and “recentservers.xml” and stores the data in the “Hosts.txt” file under the “FileZilla” folder for exfiltration.

WinSCP is a popular SFTP client and FTP client for Windows. WinSCP saves the user session-related data in the registry. Typhon stealer grabs the WinSCP data from “Software\\Martin Prikryl\\WinSCP 2\\Sessions” registry key.

Gaming

Typhon Stealer targets the following gaming applications and steals sensitive data from the victim’s machine.

• Steam
• Minecraft
• Uplay

Steam:

The malware identifies the Steam installation path by checking the registry key value at HKEY_LOCAL_MACHINE\Software\Valve\Steam. After this action, it enumerates the subkey present under HKEY_LOCAL_MACHINE\Software\Valve\Steam\Apps to get details of the application, as can be seen in the figure below. The malware also targets the steam’s SSFN file, known as the authorization file, and copies it for exfiltration.

Uplay:

The malware looks for “Ubisoft Game Launcher” in the AppData folder; if this folder is present, it copies all the files for exfiltration.

Minecraft:

For Minecraft, the stealer checks if the “.minecraft” folder is present under the AppData directory. If it is present, it creates a folder named “Minecraft” under the “Gaming” folder to save the stolen data.

This stealer copies “launcher_profiles.json,” “servers.dat,” and screenshots to the “Minecraft” folder for exfiltration. It also extracts mods and version details and saves them in the respective text files created in the “Minecraft” folder.

Messaging Applications

The Typhon stealer targets the following messaging applications:

• Discord
• Telegram
• Pidgin

The malware first creates a folder named “Messenger,” which will be used for saving data from these applications. For stealing  Discord tokens, it first searches for the following directories:

• Discord\\Local Storage\\leveldb
• discordptb\\Local Storage\\leveldb
• Discord Canary\\leveldb

The malware steals Telegram sessions by copying files from the “Telegram Desktop\tdata” folder. For Pidgin, the malware first identifies if “.purple\\accounts.xml” is present in the AppData folder. It steals the login credentials and protocol details and saves them into the “Pidgin Accounts.txt” file, as shown below.

VPN

This stealer steals credentials from three VPNs: ProtonVPN, OpenVPN, and NordVPN.

The malware first checks whether a VPN is installed or not by checking the directory C:\Users\[username]\AppData\Local\[VPN name], as shown in the figure below.

If a targeted VPN service is installed on the victim’s system, the stealer steals the credentials from the configuration files, such as user.config, etc., and copies the configuration file to the folder used for saving stolen data.

Wallets

Typhon Stealer targets crypto wallets, as shown in the figure below. The stealer createsa folder named “Wallets” and then enumerates a list of BASE64 encoded wallets path to identify if a wallet is present on the victim’s system.

It also targets Blockchains such as Bitcoin, Dash, and Litecoin by fetching the path from registry key  HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt

Grabber

This stealer grabs files from directories such as Desktop, My Pictures, Personal, Downloads, OneDrive, and Dropbox. It only grabs files that are smaller than 5MB and have the extensions mentioned below.

Type	Extension
Document	pdf, RTF, doc, Docx, Xls, xlsx, ppt, pptx, indd, txt, JSON
Database	db, db3, db4, kdb, kdbx, SQL, SQLite, MDF, MDB, dsk, dbf, wallet, ini
SourceCode	c, cs, CPP, asm, sh, py, pyw, HTML, CSS, php, go, js, rb, pl, swift, java, kt, kts, ino
Image	jpg, jpeg, png, BMP, PSD, SVG, ai

It also steals the system information such as Hardware Details, OS details, Windows product keys, etc. The figure below shows sample system information data stolen by the stealer. The stealer also has the functionality of taking pictures from the victim’s webcam.

Exfiltration

Along with exfiltrating data to the Telegram channel, the stealer can also upload the stolen data to Anon Files. AnonFiles is a file upload and download service that allows users to host a file anonymously. The figure below shows the AnonFiles upload functionality.

Other Functionalities

It appears that this stealer can also be used for delivering XMRig, which is a Cryptominer. Currently, this feature is not in a functional state for this sample, but we suspect that in the future, TAs might use Typhon Stealer to deliver cryptominers.

Conclusion

Threat Actors continuously enhance their techniques to target users from various sectors, such as Govt. organizations and industries from various domains. In this case, they are using the Lindesbergs Kommun organization’s theme to lure the users and deploy the Typhon stealer payload.

In the past, Cyble has observed numerous data breaches in prominent organizations through such malicious programs. Organizations or individuals are advised to follow industry-standard cybersecurity practices to secure themselves and their firms.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

• Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
• Use strong passwords and enforce multi-factor authentication wherever possible. 
• Turn on the automatic software update feature on your computer, mobile, and other connected devices.
• Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
• Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.
• Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1566	Phishing
Execution	T1204	User Execution
Defense Evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks
Credential Access	T1555  T1539  T1552  T1528	Credentials from Password Stores  Steal Web Session Cookie Unsecured Credentials  Steal Application Access Token
Collection	T1113	Screen Capture
Discovery	T1087  T1518  T1057  T1124  T1007  T1614	Account Discovery  Software Discovery  Process Discovery  System Time Discovery  System Service Discovery  System Location Discovery
Command and Control	T1095	Non-Application Layer Protocol
Exfiltration	T1041  T1567	Exfiltration Over C&C Channel  Exfiltration Over Web Service

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
a1f146eb008f077be809ab4e61f46f4e	MD5	TyphonStealer Payload
8af9fc9aa7517ac327cc8692c2adf54537f39fe5	SHA-1	TyphonStealer Payload
e04e65ddad749789f4f05bb88e2c8bde8df9263950eb120ad1191f217ca0c742	SHA-256	TyphonStealer Payload
79dc4a4192469c3e697afd81409a52da	MD5	TyphonStealer Payload
51aa7b94b3f3921d21e730b113faa20e0f6b6902	SHA-1	TyphonStealer Payload
48133d1aaf1a47f63ec73781f6a2b085b28174895b5865b8993487daec373e0a	SHA-256	TyphonStealer Payload
77f7d71475362232d13adbdb19e876ff	MD5	TyphonStealer Payload
7c4ff5acfc57573279c9abc6779a8bc547b23d12	SHA-1	TyphonStealer Payload
d68f00429a5f39c718cc704ee11e8e10d37c8ffc831630d753c922269bc01b86	SHA-256	TyphonStealer Payload
ce4675c0ab630d8e1e89eb7c9d23188d	MD5	TyphonStealer Payload
b4d71ad21f6f6cff7d297bbe1431a007b0d3e792	SHA-1	TyphonStealer Payload
524180810d0b9764e5ef3923a8eb34b2ed8ca1923244be37e94ca57d889ede9b	SHA-256	TyphonStealer Payload
hxxp://lindesbergparkeringsanmarkning[.]netlify[.]app	URL	URL Hosting Phishing Page and TyphonStealer Payload
hxxps://formspree[.]io/f/xknylake