Styx Stealer Overview
Styx Stealer is a sophisticated malware variant, inheriting many functionalities from its predecessor, Phemedrone Stealer. It is capable of extracting saved passwords, cookies, and auto-fill data from various web browsers, as well as information from browser extensions and cryptocurrency wallets. Furthermore, it can capture Telegram and Discord session data, gather system information, and even take screenshots to analyze its environment before executing its malicious operations.
While Styx Stealer appears to be based on an older version of Phemedrone Stealer, it incorporates new features such as auto-start capabilities, clipboard monitoring, and enhanced evasion techniques. The malware is marketed through a subscription model, with prices ranging from $30 for a monthly license to $200 for a lifetime subscription. Interested buyers must contact the seller via Telegram to initiate a purchase.
Operational Security Lapses
The investigation into Styx Stealer revealed a significant operational security failure by its creator. During the debugging phase, the developer inadvertently leaked crucial data, including a Telegram bot token linked to the Agent Tesla campaign. This lapse allowed CPR to trace the malware's development back to its creator, Sty1x, who has been active in the cybercrime community since at least April 2024.
In March 2024, a spam campaign distributing a malicious TAR archive was identified, which contained the Agent Tesla malware. This campaign primarily targeted representatives from various industries, including diamond and metallurgical sectors, across multiple countries. The connection between Sty1x and the Agent Tesla campaign was further solidified when it was discovered that the Telegram bot used for data exfiltration was created by Fucosreal.
Financial Insights
Through meticulous analysis, CPR identified a total of 54 customers who purchased Styx Stealer and Styx Crypter products. Payments were accepted in various cryptocurrencies, including Bitcoin and Monero, with a total revenue estimated at approximately $6,500 over a two-month period. This financial insight underscores the profitability of such cybercriminal endeavors, despite the inherent risks involved.
Technical Features of Styx Stealer
The technical capabilities of Styx Stealer are extensive, featuring functionalities such as:
- Extraction of cookies, saved passwords, and credit card information from web browsers.
- Stealing data from popular cryptocurrency wallets.
- Collecting system information and user location data.
- Monitoring clipboard content for cryptocurrency transactions.
Additionally, Styx Stealer employs various evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments. These measures highlight the malware's sophistication and the ongoing challenges in cybersecurity.