The threat actors behind Typhon Stealer, a crypto miner/stealer for hire, have released a new variant of the malware with new and modified capabilities. The new variant, named Typhon Reborn, has enhanced anti-analysis techniques and multiple new malicious features.
According to Palo Alto researchers, the latest Typhon variant has improved its stealer and file grabber features with better configurable options as compared to the earlier variant, Typhon Stealer 1.2.
Typhon Reborn functions as a crypto-extension stealer for Google Chrome and Microsoft Edge and targets extensions for Binance, Bitapp, Coin98, and others. In addition, it targets Microsoft Edge web browser extensions for Yoroi, Metamask, and Rabet wallets.
It is capable of gathering additional victim data, including machine usernames, operating system information, AV details, and all wireless networking passwords.
It leverages Telegram’s API and infrastructure to exfiltrate all stolen data.
It has increased anti-analysis techniques with several checks to evade detection.
Typhon Reborn has a new method named MeltSelf that cleverly kills the threat’s process, ceases execution, and deletes itself from the disk in certain conditions mentioned in coding.
The conditions include checking for debuggers, debugging arguments, the size of the physical disk, and well-known analysis processes (blocklisting). It, further, checks for popular sandbox usernames, and virtual machine detections as well.
Moreover, it checks for the victim’s country code and will cease execution if the machine is located in any of the CIS countries.
Typhon Stealer operators were advertising it through an underground website for $100 for a lifetime subscription. They are providing development and distribution updates through their existing Telegram channel.
The malware payload’s size has been compressed and reduced to around 2.3 MB, depending on the stealer's build configuration.
The operators have removed a few existing features, including keylogging, clipboard stealing, cryptomining, and worm features.
Typhon Reborn’s new features and techniques indicate that its operators are putting efforts to take this malware to the next level. Improved evasion tactics and the addition of new crypto app browsers make it an attractive bet for other hackers. The rise in its adoption of these tools can be expected in the coming future.