Typhon Reborn Stealer Malware Reappears with Advanced Evasion Techniques

April 05, 2023Ravie LakshmananCyber/Dark Web Threats

The threat actor behind the information-stealing malware known as Typhon Reborn has reappeared with the latest version (V2) which packs enhanced capabilities to evade detection and reject analysis.

The new version is offered for sale in the underworld for $59 per month, $360 per year, or alternatively, for $540 for a lifetime subscription.

“Thieves can harvest and extract sensitive information and use Telegram’s API to send stolen data to attackers,” Cisco Talos researcher Edmund Brumaghin said in Tuesday’s report.

Typhon first documented beforehand by Cyble in August 2022, detailing its various features, including clipboard content hijacking, capturing screenshots, logging keystrokes, and stealing data from crypto wallets, messaging, FTP, VPN, browsers, and game apps.

Based on another stealing malware called Prynt Stealer, Typhon is also capable of bringing in the XMRig cryptocurrency miner. In November 2022, Palo Alto Networks Unit 42 unearthed the latest version dubbed Typhon Reborn.

“This new version has improved anti-analysis techniques and was modified to improve file stealing and capturing features,” Unit 42 said, pointing out the removal of existing features such as keylogging and cryptocurrency mining in an apparent attempt to lower the chance of detection. .

The latest V2 variant, per Cisco Talos, was marketed by its developers on January 31, 2023, on the Russian-language XSS dark web forum.

“Typhon Reborn stealer is a heavily refactored and improved version of the older and unstable Typhon Stealer,” said the malware authors, apart from touting its low price and lack of backdoors.

Like other malware, V2 comes with an option to avoid infecting systems located in Commonwealth of Independent States (CIS) countries. However, it specifically excluded Ukraine and Georgia from the list.

In addition to including more anti-analysis and anti-virtualization checks, Typhon Reborn V2 removes its persistence features, instead opting to terminate itself after extracting data.

The malware ended up transmitting the data collected in a compressed archive over HTTPS using the Telegram API, marking continued abuse of the messaging platform.

“Once the data is successfully delivered to the attacker, the archive is then deleted from the infected system,” said Brumaghin. “The malware then calls (self-delete function) to stop execution.”

The findings came when Cyble revealed a new Python-based stealing malware called Creal that targets cryptocurrency users through phishing sites that mimic legitimate crypto mining services like Kryptex.

This malware is no different from Typhon Reborn in that it is equipped to siphon cookies and passwords from Chromium-based web browsers as well as data from instant messaging applications, games and crypto wallets.

Nonetheless, the source code of the malware is available on GitHub, allowing other threat actors to modify the malware to suit their needs and make it a powerful threat.

“Creal Stealer is capable of extracting data using Discord webhooks and several file hosting and sharing platforms such as Anonfiles and Gofile,” Cyble said in a report published last week.

“The trend of using open source code in malware is increasing among cybercriminals, as it allows them to create sophisticated and customized attacks at minimal cost.”