New crypto theft warning for Microsoft Windows users
An alarming report from Check Point Research, published today and detailed first here on Forbes, warns that a powerful new attack from a known threat actor is now underway. Targeting Windows users, this “malicious” new malware will steal anything it can find—including browser cookies, security credentials and instant messages. The underlying malware has been seen before, but this latest iteration has been enhanced to be much better at emptying crypto wallets.
The malware is an adaptation of the Phemedrone Stealer which made headlines earlier this year. Exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs without prompting any security warnings.
Microsoft patched CVE-2023-36025 last year, and users can protect themselves by ensuring their OS is up-to-date. But at a time when hundreds of millions of Windows 10 users are counting down the weeks until their support ends in October 2025, many without a device capable of a Windows 11 upgrade or the money to buy a new PC, such protracted exploitations are set to become a much more serious issue.
Check Point has identified a new malware variant called Styx Stealer, linked to an Agent Tesla associated threat actor named Fucosreal. Agent Tesla is recognized as a Windows RAT and typically offered through Malware-As-A-Service (MaaS). Once a computer is compromised, it can facilitate the installation of further malicious programs, which often culminate in ransomware attacks.
The Styx Stealer malware is marketed via a subscription model, with a monthly fee of $75, although a lifetime license can be purchased for $350. According to Check Point, the sales platform for Styx Stealer remains operational and available to the public. Additionally, the malware’s developer is actively engaging with users on Telegram and is also developing another project named Styx Crypter, aimed at evading antivirus defenses. Consequently, Styx Stealer remains a significant risk to global users.
Styx Stealer exploits a vulnerability in Windows to infect computers but also capitalizes on other security flaws, such as stealing session cookies. This allows attackers to mimic secure logins on their devices. Google Chrome is primarily targeted due to its widespread usage. Google is addressing this by linking session cookies to specific device IDs and securing cookie data by tying them to specific apps, which mitigates the risk of unauthorized access through malware or other users.
However, the threat extends beyond Chrome. Check Point notes that Styx Stealer also targets other Chromium-based browsers like Edge, Opera, and Yandex, as well as Gecko-based browsers such as Firefox, Tor Browser, and SeaMonkey.
Crypto stealing malware for sale
A new malware with cunning features is causing concern in the crypto world. Check Point described how this malware, unlike its predecessors, incorporates crypto-stealing through crypto-clipping without the need for a constant connection to a C&C server, and it persists as long as the malware resides on the infected device.
The enhancements in this malware equip it for subtle and continuous theft of cryptocurrency. Check Point detailed that “it operates in an endless loop, regularly checking the clipboard content every two milliseconds by default. If a change is detected, it activates a crypto-clipper to divert cryptocurrency during transactions by replacing the genuine wallet address with one controlled by the attackers. This function recognizes 9 regex patterns for addresses corresponding to different blockchains including BTC, ETH, XMR, XLM, XRP, LTC, NEC, BCH, and DASH.”
To safeguard its stealthy operations, the malware uses advanced defensive measures. According to Check Point, “Once the crypto-clipper is activated, Styx Stealer initiates a variety of anti-debugging and anti-analysis strategies. It confronts debugging only once upon initiation, additionally scanning for and terminating any process known to be linked to debugging and analysis tools.”
The hackers made a critical mistake, allowing Check Point to connect them to the known Agent Tesla threat actor. “During the analysis of Styx Stealer,” the team stated, “the developer accidentally revealed information from his own computer, which enabled CPR to gather a substantial amount of data, including client numbers, revenue details, nicknames, phone numbers, and email addresses, as well as similar information pertaining to the individual behind the Agent Tesla campaign.”
The inquiry by Check Point further uncovered the primary industries and locations targeted by these attackers. The data theft included credentials, Telegram conversations, details on malware transactions, and contact information primarily in Turkey, Spain, and Nigeria, where Fucosreal is based. The exact locations associated directly with the malware developer remain uncertain, but his online identities were identified. The report by Check Point provided a comprehensive breakdown of the events, detailing how the Styx Stealer malware was sold and the support provided thereafter.
Check Point remarked on the nature of cybercrime, noting that even highly skilled hackers can accidentally disclose vital information about their illegal activities. The attacks they observed were halted early by Check Point’s Threat Emulation system which prevented the Styx Stealer malware from compromising any customer systems. Nonetheless, the full scope of the global attack remains unknown.
Check Point emphasizes the importance of regular Windows updates, particularly for users who maintain crypto wallets or engage in cryptocurrency trading. This new malware typically spreads through malicious links and email attachments. As always, users are advised to avoid such suspicious links and attachments.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
