Typhon Reborn, the threat actor responsible for the information-extracting malware, has reappeared with an upgraded edition (V2) with improved abilities to circumvent discovery and thwart analysis.
The updated version is being sold on the underground criminal market for $59 per month, $360 per year, or for a lifetime membership of $540.
According to Talos intelligence: “Analysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple adversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.”
Cisco Talos researcher Edmund Brumaghin stated in a report on Tuesday that “the stealer can collect and transfer sensitive data and employs the Telegram API to forward the stolen data to the attackers.”
Point of initiation
Typhon was initially documented by Cyble in August 2022, which detailed its multiple features, such as
- seizing clipboard content,
- capturing screenshots,
- logging keystrokes, and
- extracting data from crypto wallets, messaging apps, FTP, VPN, browsers, and gaming apps.
Now it has improved too:
- Anti-analysis checks
- self-removal if detected
- Using Windows management instrumentation to retrieve information
- Captures System video controller
- Uses geolocation avoidance system
- Affects removable drives
- Data exfiltration
Based on Prynt Stealer, another data-stealing malware, Typhon can also deploy the XMRig cryptocurrency miner. In November 2022, Palo Alto Networks Unit 42 identified an updated version named Typhon Reborn.
“Anti-analysis techniques have been enhanced in this new version, and the stealer and file grabber features have been modified to improve them,” Unit 42 stated.
Cyble’s findings: Sibling to Typhon
Cyble’s recent revelations come amidst the disclosure of a new Python-based data-stealing malware called Creal that focuses on cryptocurrency users by utilizing phishing websites that imitate legitimate crypto mining services, such as Kryptex.
Creal is identical to Typhon Reborn in its ability to extract cookies and passwords from web browsers based on Chromium and information from gaming, instant messaging, and crypto wallet applications.
However, since the malware’s source code is accessible on GitHub(coded for you to see how your files are stolen and how to take action), other malevolent individuals can modify the malware to serve their objectives, making it an even more formidable threat.
Final say: Prudence is the key to security
Malware, viruses, trojans, and various cyber attacks will evolve. They are not going to stop, but they can be prevented. Your data can be protected by selecting the right tools and management. Compliance with security procedures and managing the endpoints is crucial for that.
Keep your system updated, avoid suspicious links, keep patches intact, be vigilant, and contact the authorities for help. Stay protected!