enhanced evasion Archives

Winsage

August 17, 2024

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove – Check Point Research

Check Point Research (CPR) has identified a new malware variant called Styx Stealer, which extracts sensitive information from users, including browser data, instant messaging sessions from Telegram and Discord, and cryptocurrency assets. Styx Stealer is linked to the developer Sty1x, associated with the threat actor Fucosreal and the Agent Tesla malware. An operational security failure by the developer led to the accidental leak of sensitive data, allowing CPR to trace the malware back to its creator. Styx Stealer inherits functionalities from Phemedrone Stealer, capable of extracting saved passwords, cookies, auto-fill data, and information from browser extensions and cryptocurrency wallets. It can also capture session data from Telegram and Discord, gather system information, and take screenshots. The malware features auto-start capabilities, clipboard monitoring, and enhanced evasion techniques, and is marketed through a subscription model. In March 2024, a spam campaign distributing a malicious TAR archive containing Agent Tesla malware targeted various industries. CPR identified 54 customers who purchased Styx Stealer and Styx Crypter products, generating approximately ,500 in revenue over two months, with payments accepted in cryptocurrencies like Bitcoin and Monero. Styx Stealer employs evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments.

AppWizard

March 30, 2024

Vultur banking malware for Android poses as McAfee Security app

- A new iteration of the Vultur banking trojan has been identified with more sophisticated remote control features and an enhanced ability to evade detection. - The malware employs a combination of smishing and voice calls to deceive victims into downloading a fake McAfee Security app laden with the malware. - The infection process involves receiving an SMS alert about an unauthorized transaction, calling a number for assistance, following a link to a fraudulent site, and installing the fake McAfee Security app. - Once installed, the malware unleashes three Vultur-related payloads that gain access to Accessibility Services, enable remote control functionalities, and establish a link with the command and control server. - The latest Vultur variant includes new functionalities such as comprehensive file management options, exploiting Accessibility Services, preventing certain apps from launching, crafting custom notifications, and disabling Keyguard. - The malware has incorporated new evasion techniques like encrypting communications with the C2 server, using multiple encrypted payloads, and disguising malicious activities as legitimate applications. - The developers behind Vultur have prioritized enhancing remote control capabilities, introducing commands for various device interactions and app management. - Android users are advised to only download apps from trusted sources like Google Play, be cautious of unsolicited messages with links, and scrutinize app permissions during installation to maintain control over device security and privacy.