New crypto theft warning for Microsoft Windows users
An alarming report from Check Point Research, published today and detailed first here on Forbes, warns that a powerful new attack from a known threat actor is now underway. Targeting Windows users, this “malicious” new malware will steal anything it can find—including browser cookies, security credentials and instant messages. The underlying malware has been seen before, but this latest iteration has been enhanced to be much better at emptying crypto wallets.
The malware is an adaptation of the Phemedrone Stealer which made headlines earlier this year. Exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs without prompting any security warnings.
Microsoft patched CVE-2023-36025 last year, and users can protect themselves by ensuring their OS is up-to-date. But at a time when hundreds of millions of Windows 10 users are counting down the weeks until their support ends in October 2025, many without a device capable of a Windows 11 upgrade or the money to buy a new PC, such protracted exploitations are set to become a much more serious issue.
Check Point says that this new malware variant, dubbed Styx Stealer, “is linked to one of the Agent Tesla threat actors, Fucosreal.” Agent Tesla is a Windows RAT that is usually provided as Malware-As-A-Service (MaaS). Once a PC has been infected, more dangerous software can be installed, often leading to ransomware attacks.
Styx Stealer is available to rent at $75 per month, albeit a lifetime license is only $350. Check Point told me that “the website selling Styx Stealer is still active, and anyone can purchase it… We also observe that the creator of Styx Stealer is active on Telegram, responding to messages. The creator is also working on a second product, Styx Crypter, which helps bypass antivirus protection. As a result, Styx Stealer continues to pose a potential threat to many users worldwide.”
While Styx Stealer exploits a Windows vulnerability to infect a PC, it also leverages other security weaknesses including the theft of session cookies which enable a threat actor to replicate a secure login on their own machine. The primary target for such thefts is Google Chrome, given the scale of its install base. Google is now shutting down the vulnerability, linking session cookies to a specific device ID. Even more potently, Google is also shutting down the potential for a threat actor to exploit a device bound cookie with a malware-enabled rogue login—or even another physical user—on the same machine, encrypting and binding cookie data to specific apps, rather than the primary user seemingly logged into another app.
But it’s not just Chrome under threat, Check Point says that Styx Stealer targets all Chromium-based browsers, including Edge, Opera and Yandex, and Gecko-based alternatives, including Firefox, Tor Browser and SeaMonKey.”
Crypto stealing malware for sale
There are devious new elements to this latest malware when it comes to crypto theft. Check Point told me “crypto-stealing through crypto-clipping is a new functionality absent in Phemedrone Stealer, [which] works autonomously without a C&C server all the time the malware is installed on the victim’s machine.”
The new capabilities added to the malware make it much more adept at quietly stealing crypto in the background. “In an endless loop at a configurable set interval (default two milliseconds),” Check Point explains, “Styx Stealer checks the content of the clipboard. If it has changed, it triggers a crypto-clipper function….stealing cryptocurrency during transactions by substituting the original wallet address with the attacker’s wallet address… The crypto-clipper includes 9 regex patterns for addresses across various blockchains: BTC, ETH, XMR, XLM, XRP, LTC, NEC, BCH, DASH.”
When stealing crypto, the malware applies additional defenses to protect its ongoing operation. “If the crypto-clipper is enabled in the configuration, Styx Stealer applies additional anti-debugging and analysis techniques. All checks are performed only once after the stealer is launched. The stealer includes a comprehensive list of process names associated with various debuggers and analysis software. It searches for and terminates these processes.”
Clever though this might be, the hackers slipped up, enabling Check Point to make the link to the known Agent Tesla threat actor. “During the debugging of Styx Stealer,” the team explains, “the developer made a fatal error and leaked data from his computer, which allowed CPR to obtain a large amount of intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses, as well as similar data about the actor behind the Agent Tesla campaign.”
Check Point’s investigation also identified target industries and geographies, where the attacker harvested credentials as well as Telegram chats, malware sales and contact information in Turkey, Spain and Nigeria—the latter being the home of Fucosreal. It remains unclear which locations link back to the threat actor itself, albeit online identities were tracked down. All the various threads pulled and breadcrumbs followed by Check Point are laid out in detail in its report, including an analysis of the choreography of a Styx Stealer malware sale and subsequent support.
“In the shadowy world of cybercrime,” Check Point says, “even the most cunning hackers can make blunders that expose their operations… The attacks we detected were intercepted at an early stage by Check Point’s Threat Emulation, preventing Styx Stealer from being loaded onto customers’ computers. Unfortunately, we do not have full visibility into how many users were actually attacked globally.”
Check Point’s message is clear. Make sure you keep Windows up-to-date, especially if you have a crypto wallet or trade any form of cryptocurrency on your PC. This new malware is usually distributed by malicious links and attachments in emails and messages—so the usual rules apply to ignoring all such temptations.