Typhon Reborn: Stealer Comes Back with New Capabilities

What’s new?

• Typhon Reborn functions as a crypto-extension stealer for Google Chrome and Microsoft Edge and targets extensions for Binance, Bitapp, Coin98, and others. In addition, it targets Microsoft Edge web browser extensions for Yoroi, Metamask, and Rabet wallets.
• It is capable of gathering additional victim data, including machine usernames, operating system information, AV details, and all wireless networking passwords. 
• It leverages Telegram’s API and infrastructure to exfiltrate all stolen data.

Anti-analysis techniques

• Typhon Reborn has a new method named MeltSelf that cleverly kills the threat’s process, ceases execution, and deletes itself from the disk in certain conditions mentioned in coding.
• The conditions include checking for debuggers, debugging arguments, the size of the physical disk, and well-known analysis processes (blocklisting). It, further, checks for popular sandbox usernames, and virtual machine detections as well.
• Moreover, it checks for the victim’s country code and will cease execution if the machine is located in any of the CIS countries.

Additional updates

• Typhon Stealer operators were advertising it through an underground website for $100 for a lifetime subscription. They are providing development and distribution updates through their existing Telegram channel.
• The malware payload’s size has been compressed and reduced to around 2.3 MB, depending on the stealer's build configuration.
• The operators have removed a few existing features, including keylogging, clipboard stealing, cryptomining, and worm features.

Conclusion