Crypto-clipping malware ‘Styx Stealer’ targets Windows computers

The post Crypto-clipping malware ‘Styx Stealer’ targets Windows computers appeared on BitcoinEthereumNews.com.

Styx Stealer, a new malware, stealthily swipes cryptocurrency from Windows-based computers. Cybersecurity firm Check Point Research first identified Styx as a beefier version of Phemodrone Stealer in April. The malware exploited a now-patched Windows vulnerability, hijacking cryptocurrency transactions and stealing sensitive data from compromised systems, such as private keys, browser cookies, and even autofill browser data. Phemodrone first made waves in early 2024. Unlike Styx Stealer, it focused on web browsers to drain crypto from wallets alongside other information. Both malware exploit the same loophole in Windows Defender, the operating system’s native antivirus, taking advantage of an old vulnerability in the antivirus’s SmartScreen feature designed to warn users about potentially harmful websites and downloads. However, Styx presents new threats with the addition of the crypto-clipping mechanism. Basically, the malware monitors the clipboard for changes and then replaces copied cryptocurrency wallet addresses with those belonging to the attacker. Previously, the Phorpiex botnet was known to use this technique to hijack crypto transactions.  According to Check Point Research’s findings, Styx can identify wallet addresses across nine blockchains, including Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Ripple (XRP), Litecoin (LTC), Bitcoin Cash (BCH), Stellar (XLM), Dash (DASH) and Neo (NEO). Chromium- and Gecko-based browsers, data from browser extensions, Telegram and Discord are especially vulnerable. The malware’s builder has an autorun feature and a user-friendly graphical interface, making it easier for cybercriminals to customize and deploy it. Styx Stealer user interface | source: Check Point Research Styx is also equipped with basic anti-analysis techniques to mask its operations. To evade detection, it terminates processes associated with debugging tools and detects virtual machine environments. If such an environment is detected, Styx Stealer initiates self-deletion. Available via Telegram The malware’s distribution and sales are managed manually through the Telegram account @styxencode and the styxcrypter[.]com website. CPR has…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ August 18, 2024 12:22 pm