'Styx Stealer' Blows Its Own Cover With Sloppy OpSec Mistake

Security researchers were able to gather valuable information on the creator of a sophisticated new malware tool called Styx Stealer because of a basic operational security lapse on the part of the threat actor.

The slipup allowed the researchers — from Check Point Research (CPR) — to identify the malware author as an individual operating out of Turkey and having connections with the operator of an Agent Tesla campaign, one of the oldest and most prolific information stealers still in use. The lapse also allowed researchers to gather other personal details, including the malware developer's Telegram accounts, contacts, emails, and cryptocurrency transfers over a two-month period, totaling some $9,500 from purchasers of Styx Stealer and a separate encryption tool.

A Fortuitous OpSec Failure

"During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer," CPR researcher Alexey Bukhteyev wrote in a recent blog post. "[This] allowed CPR to obtain a large amount of intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses, as well as similar data about the actor behind the Agent Tesla campaign."

Instances of threat actors inadvertently doxing themselves via operational security lapses, while somewhat rare, still keep happening. And when they do, security researchers have been quick to capitalize on those errors and harvest as much detail as they are able to on the threat actor's tactics, techniques, and procedures.

Threat actors regularly abet their own discovery. Last year, Mandiant was able to attribute an attack on enterprise directory-as-a-service provider JumpCloud to North Korea's Lazarus Group after a security oversight exposed the threat's actual IP address in North Korea. Similar errors — in this case, not cleaning up properly after a ransomware attack — allowed Secureworks to expose the personas and companies behind Iranian threat group Cobalt Mirage. In 2021, researchers at IBM's X-Force threat intelligence group scooped up valuable information on Iran's "Charming Kitten" cyber-espionage group because of multiple operational security failures on the threat actor's part.

Putting Together the Pieces

CPR researchers got their first clues about Styx Stealer's author when analyzing a malicious file containing Agent Tesla that they recovered from a spam campaign this past March. They found the malware using Telegram's Bot API for data exfiltration and managed to extract the Telegram bot token from it. This allowed CPR researchers to monitor the threat actor's Telegram bot.

That in turn led to the discovery of a malicious archive file with a document titled "Styx Stealer" and a screenshot showing someone working in Visual Studio on a project named "PhemedroneStealer," debugging a process titled "Styx-Stealer.exe." The program file in the project contained a hard-coded Telegram bot token and chat ID that were identical to what CPR researchers had extracted from the Agent Tesla sample.

Working from there, the researchers were able to piece together information that eventually led to their identifying Styx Stealer's author as a Turkey-based individual using the handle Sty1x and a couple of different email addresses and phone numbers. Their analysis showed Sty1x worked with an individual using the handle @Mack_Sant based in Lagos, Nigeria. Exchanges between the two showed Sty1x using @Mack_Sant to test Styx Stealer's ability to exfiltrate data initially using a Styx Stealer-specific Telegram bot and then the Agent Tesla bot.

Data that the researchers were able to recover from the computers of both individuals — and visible in photos that @Mack_Sant sent to Sty1x of a phone and laptop — showed the former to be the operator of the Agent Tesla campaign that CPR investigated in March. "We also see a screenshot of Agent Tesla reports, which fully confirms our suspicion that @Mack_Sant (also known as @Fucosreal) is the owner of this bot and the originator of the Agent Tesla campaign," Bukhteyev wrote.

A Slick Infostealer

Styx Stealer itself is an information stealer that is based on an early version code associated with "Phemedrone Stealer," a malware tool that researchers observed being used in attacks that targeted CVE-2023-36025, a Windows Defender SmartScreen vulnerability from earlier this year.

The malware steals data from browser extensions in Chromium-based browsers, from cryptocurrency wallets, and from files within "My Documents" and "Desktop" folders. It can also obtain location and system data and steal Discord, Telegram, and Steam sessions, CPR said. Like many malware tools, Styx Stealer packs multiple obfuscation and detection evasion features, including those that check for and terminate certain processes and determine if it might be running in a virtual machine. The malware is designed so it won't execute in specific countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan.

"The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights," Bukhteyev said.