August 21, 2024 at 04:39PM
Security researchers from Check Point Research discovered valuable information about the creator of Styx Stealer, a new malware tool, due to the threat actor’s operational security lapse. They were able to identify the malware author as an individual from Turkey with connections to the operator of an Agent Tesla campaign, gathering personal details and intelligence, totaling some $9,500 in cryptocurrency transfers. Instances of threat actors inadvertently doxing themselves keep happening, allowing security researchers to capitalize on those errors. The researchers got their first clues about Styx Stealer’s author through analyzing a malicious file containing Agent Tesla recovered from a spam campaign. They found the malware using Telegram’s Bot API for data exfiltration and managed to extract the Telegram bot token from it, leading to the discovery of a malicious archive file and eventually identifying Styx Stealer’s author as a Turkey-based individual using the handle Sty1x. Additionally, Styx Stealer itself is an information stealer based on early version code associated with “Phemedrone Stealer,” with various obfuscation and detection evasion features.
From the meeting notes, it is evident that security researchers from Check Point Research (CPR) were able to gather valuable information on the creator of the Styx Stealer malware tool due to a basic operational security lapse on the part of the threat actor. This slipup allowed CPR to identify the malware author as an individual operating out of Turkey and having connections with the operator of an Agent Tesla campaign. The lapse also allowed researchers to gather personal details, including the malware developer’s Telegram accounts, contacts, emails, and cryptocurrency transfers over a two-month period, totaling some $9,500 from purchasers of Styx Stealer and a separate encryption tool.
The researchers were able to attribute the attack on the enterprise directory-as-a-service provider JumpCloud to North Korea’s Lazarus Group and gather valuable information on Iran’s “Charming Kitten” cyber-espionage group due to operational security failures on the threat actor’s part.
CPR researchers identified Styx Stealer’s author as a Turkey-based individual using the handle Sty1x and were able to piece together information that eventually led to their identifying the author’s connections with @Mack_Sant based in Lagos, Nigeria, who operated the Agent Tesla campaign.
Styx Stealer itself is an information stealer based on an early version code associated with “Phemedrone Stealer” and contains obfuscation and detection evasion features. The malware is designed not to execute in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan.
In conclusion, the case of Styx Stealer highlights how even sophisticated cybercriminal operations can experience security oversights, leading to the exposure and attribution of their activities by security researchers.