Stealer Returns with New Powers as Typhon Reborn

 Typhon Stealer is a cryptocurrency miner/stealer for hire. The threat actors behind it have published a new version of the malware with updated features. Typhon Reborn, the new variant, offers numerous new harmful components as well as improved anti-analysis techniques.

                image: by canva

What is new?

Researchers from Palo Alto claim that the most recent Typhon variation, Typhon Stealer 1.3, offers better adjustable settings for the stealer and file grabber features.

• Typhon Reborn is a crypto-extension thief that preys on extensions for Binance, Bitapp, Coin98, and other platforms for Google Chrome and Microsoft Edge. Additionally, it targets the Yoroi, Metamask, and Rabet wallet extensions for the Microsoft Edge web browser.
  
  
• Additional victim information it can obtain includes machine usernames, operating system specifics, AV information, and all wireless networking passwords.
  
  
• To exfiltrate all stolen data, it uses the infrastructure and API of Telegram.

Anti-analysis methods

To avoid detection, it has improved anti-analysis procedures with multiple checks.

• A new approach in Typhon Reborn called MeltSelf deftly terminates the threat's process, halts its operation, and deletes itself from the disc under specific coding-specified circumstances.
  
  
• Checking for debuggers, debugging inputs, the size of the actual disc, and well-known analysis methods are some of the conditions (blocklisting). Additionally, it looks for popular sandbox usernames and detects virtual machines.
  
  
• Additionally, it looks up the victim's country code and stops running if the machine is in any of the CIS nations.

Additional information

• Operators of Typhon Stealer were offering a lifetime subscription for $100 through an unofficial website. Through their currently active Telegram channel, they are disseminating updates on development and distribution.

• Depending on the build configuration of the stealer, the malware payload has been compressed and shrunk to 2.3 MB or less.
  
  
• A handful of the pre-existing functionality, such as keylogging, clipboard stealing, crypto mining, and worm features, has been disabled by the administrators.
  
  

Conclusion

The new features and methods used by Typhon Reborn show that its developers are working hard to advance this infection. It has become a more appealing wager for other hackers thanks to improved evasion strategies and the availability of new crypto app browsers. Shortly, growth in the utilisation of these instruments is anticipated.