Typhon Reborn, an enhanced variant of the Typhon Stealer crypto miner, has undergone a major uplift in its codebase. Its developers have released a new V2 variant that includes significant updates, such as functionalities and codebase changes that make its analysis cumbersome.

What are attackers upto?

Cisco Talos researchers have reported the discovery of the new Typhon Reborn V2 variant.
  • The developer’s cryptocurrency wallet has already received some payments, indicating that several adversaries have already shown interest in using it.
  • Some samples identified in public malware repositories suggest that cybercriminals have been using the V2 variant in the wild since December 2022.

Notable changes in malware

It includes several enhanced features, along with additional layers of anti-analysis and anti-VM checks.
  • Adversaries claimed to have completely refactored the codebase of the malware, removing several features such as keylogging and cryptomining to evade detection by security systems.
  • They have added a new logic that prevents malware execution if the target machine matches certain criteria. For instance, it checks for the usernames, CPUIDs, and applications and processes running on the system.
  • In addition, it performs debugger and emulation checks (via functions such as  SYSTEM_KERNEL_DEBUGGER_INFORMATION, SYSTEM_CODEINTEGRITY_INFORMATION) before infecting the system.
  • In one of the analyzed samples, the developers have removed the code related to establishing persistence. The malware now terminates itself after the data exfiltration process is complete.

About Typhon Reborn

First identified in August 2022, Typhon Reborn is capable of stealing data from crypto wallets, messaging apps, VPNs, web browsers, and gaming apps.
It had more malicious features and anti-analysis capabilities than its predecessor Typhon Stealer.
It specifically targets Microsoft Edge’s web browser extensions for Yoroi, Metamask, and Rabet wallets, and uses Telegram API to send the harvest data back to attackers. 

Ending notes

New evasion tactics and anti-analysis capabilities make Typhon Reborn a lucrative bet for adversaries. Experts suggest organizations to watch out for their systems against this potential threat and get the right security measures in place.
Cyware Publisher

Publisher

Cyware