The builders of the Typhon info-stealer introduced on a darkish net discussion board that they’ve up to date the malware to a serious model they promote as ‘Typhon Reborn V2’
They boast important enhancements designed to thwart evaluation by way of anti-virtualization mechanisms.
The unique Typhon was found by malware analysts in August 2022. Cyble Research Labs analyzed it on the time and located that the malware mixed the principle stealer part with a clipper, a keylogger, and a crypto-miner.
Whereas the preliminary model was offered by way of Telegram for a single lifetime fee of $50, the malware builders additionally provided to distribute Typhon for roughly $100 per 1,000 victims.
Cisco Talos analysts report that the brand new model began being promoted on the darkish net since January and has been bought a number of instances. Hoever, the researchers found samples of the most recent model within the wild that dated since December 2022.
New model variations
In accordance with Cisco Talos, the codebase for Typhon V2 has been closely modified to make the mallicious code extra sturdy, dependable, and steady.
The string obfuscation has been improved utilizing Base64 encoding and XOR, which makes evaluation of the malware a more difficult job.
The researchers observed a extra extra complete mechanism for avoiding the an infection of research machines, with the malware now taking a look at a wider vary of standards, together with usernames, CPUIDs, purposes, processes, debugger/emulation checks, and geolocation knowledge earlier than working the malicious routines.
The malware can exclude Commonwealth of Impartial States (CIS) nations or it may possibly comply with a user-supplied customized geolocation listing.
Probably the most notable new characteristic is Typhon’s course of to verify if it runs on a sufferer’s atmosphere, and never a simulated host on a researcher’s pc.
This contains checking for GPU info, the presence of DLLs related to safety software program, the video controller for VM indicators, performing registry checks, usernames, and even checking for the presence of Wine, an emulator of Home windows.
Extra stealing capabilities
Knowledge assortment capabilities have been expanded within the newest model of Typhon because it now targets a bigger variety of apps, together with gaming shoppers. Nonetheless, it appears to be like just like the characteristic continues to be un the works as a result of it was inactive within the samples analyzed by Cisco Talos.
Typhon nonetheless targets a number of electronic mail shoppers, messaging apps, cryptocurrency pockets apps and browser extensions, FTP shoppers, VPN shoppers, and knowledge saved in net browsers. It may possibly additionally seize screenshots from the compromised machine.
One other new characteristic is a brand new file grabber part that enables the operators to seek for and exfiltrate particular information from the sufferer’s atmosphere.
The info is stolen by way of HTTPS utilizing the Telegram API, which was the tactic of selection within the authentic model of the malware too.
The emergence of Typhon Reborn V2 represents a major evolution for the MaaS and confirms the builders’ dedication to the undertaking.
Cisco Talos’ evaluation will help malware researchers give you correct detection mechanisms for the brand new Typhon model, since its comparatively low price and capabilities are more likely to improve its recognition.
Indicators of compromise (IoCs) for Typhon v2 can be found from Cisco Talos’ repository on GitHub here.