Danger Alert! Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

Typhon Reborn, the threat actor responsible for the information-extracting malware, has reappeared with an upgraded edition (V2) with improved abilities to circumvent discovery and thwart analysis.

The #Typhon information-stealing #malware recently released an updated version for sale on the dark web. We have a full breakdown of the new features V2 offers and why we expect this to be used in future attacks https://t.co/59vdsyHA0p pic.twitter.com/LBKJyNT4Xf

— Cisco Talos Intelligence Group (@TalosSecurity) April 4, 2023

The updated version is being sold on the underground criminal market for $59 per month, $360 per year, or for a lifetime membership of $540.

According to Talos intelligence: “Analysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple adversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.”

Cisco Talos researcher Edmund Brumaghin stated in a report on Tuesday that “the stealer can collect and transfer sensitive data and employs the Telegram API to forward the stolen data to the attackers.”

Point of initiation

Typhon was initially documented by Cyble in August 2022, which detailed its multiple features, such as 

• seizing clipboard content, 
• capturing screenshots, 
• logging keystrokes, and 
• extracting data from crypto wallets, messaging apps, FTP, VPN, browsers, and gaming apps.

A new version of #Typhon stealer malware pic.twitter.com/KoDTKzOD8W

— Gameel Ali 🤘 (@MalGamy12) November 15, 2022

Now it has improved too:

• Anti-analysis checks
• self-removal if detected
• Using Windows management instrumentation to retrieve information
• Captures System video controller
• Uses geolocation avoidance system
• Affects removable drives
• Data exfiltration

Based on Prynt Stealer, another data-stealing malware, Typhon can also deploy the XMRig cryptocurrency miner. In November 2022, Palo Alto Networks Unit 42 identified an updated version named Typhon Reborn.

Typhon Reborn is an updated version of Typhon Stealer and has the ability to steal crypto wallets, monitor keystrokes in sensitive applications and evade antivirus. Read our analysis. #malware https://t.co/GeO0Zmq4EX pic.twitter.com/AhKzUMiwQP

— Unit 42 (@Unit42_Intel) November 17, 2022

“Anti-analysis techniques have been enhanced in this new version, and the stealer and file grabber features have been modified to improve them,” Unit 42 stated.

Cyble’s findings: Sibling to Typhon

Cyble’s recent revelations come amidst the disclosure of a new Python-based data-stealing malware called Creal that focuses on cryptocurrency users by utilizing phishing websites that imitate legitimate crypto mining services, such as Kryptex.

Creal is identical to Typhon Reborn in its ability to extract cookies and passwords from web browsers based on Chromium and information from gaming, instant messaging, and crypto wallet applications.

However, since the malware’s source code is accessible on GitHub(coded for you to see how your files are stolen and how to take action), other malevolent individuals can modify the malware to serve their objectives, making it an even more formidable threat.

Final say: Prudence is the key to security

Malware, viruses, trojans, and various cyber attacks will evolve. They are not going to stop, but they can be prevented. Your data can be protected by selecting the right tools and management. Compliance with security procedures and managing the endpoints is crucial for that.

Keep your system updated, avoid suspicious links, keep patches intact, be vigilant, and contact the authorities for help. Stay protected!