The person or group responsible for creating the harmful software called Typhon Reborn has returned with a newer version (V2) that includes better features to avoid detection and make it harder to study.
The latest edition is being marketed on the unlawful market at a monthly charge of $59 or an annual rate of $360. Alternatively, there is an option to purchase a lifetime subscription for $540.
In a report published on Tuesday, Edmund Brumaghin of Cisco Talos revealed that a thief is capable of collecting and transferring valuable data while employing the Telegram API to transmit it to their accomplices.
In August of 2022, Cyble recorded information regarding Typhon, which included a wide range of functions such as taking control of clipboard material, taking screenshots, tracking keystrokes, and exfiltrating information from various kinds of applications such as crypto wallet applications, messaging programs, file transfer protocol (FTP) programs, virtual private network (VPN) systems, web browsers and video games.
Typhon, a malware similar to Prynt Stealer, possesses the ability to transfer the XMRig cryptocurrency miner. In 2022, Palo Alto Networks Unit 42 discovered an improved version titled Typhon Reborn.
According to Unit 42, the latest edition of this software has enhanced measures to prevent analysis and has been altered to enhance its capabilities for stealing and grabbing files. The removal of features such as keylogging and cryptocurrency mining suggests an effort to reduce the likelihood of detection.
According to Cisco Talos, the most recent version of V2 was promoted by its creator on January 31, 2023 through the Russian-language underground web forum XSS.
The creator of the Typhon malware claimed that the newer version, Typhon Reborn, has undergone significant restructuring and enhancements compared to its previous unstable counterpart. Furthermore, the author mentioned that it is reasonably priced and free from any hidden access points.
Similar to other types of malicious software, V2 includes features that prevent it from infecting computers in the countries that are part of the Commonwealth of Independent States (CIS). However, it is worth noting that Ukraine and Georgia are not included in this list.
In addition to increasing its anti-analysis and anti-virtualization measures, Typhon Reborn V2 eliminates its ability to remain active after transferring the information, choosing instead to shut down.
In the end, the malware sends the gathered information in a condensed file format through HTTPS by utilizing the Telegram API, which indicates an ongoing exploitation of the communication platform.
According to Brumaghin, once the attacker has received the data, they delete the archive from the infected system. After that, the malware activates a function to terminate its own execution.
The results were revealed as Cyble introduced a new type of malware called Creal, which is designed using the Python programming language. This malware aims to trick cryptocurrency users by creating phishing websites that imitate real mining services such as Kryptex.
The malware has the same capabilities as the Typhon Reborn virus, meaning it can steal cookies and passwords from web browsers that use the Chromium framework, along with information from instant messaging, gaming, and cryptocurrency wallet applications.
Nevertheless, it is important to note that the source code of the malicious software is accessible on GitHub, which enables other malicious actors to modify it according to their requirements, ultimately escalating its danger level.
According to a report released last week by Cyble, Creal Stealer has the ability to remove data by utilizing Discord webhooks as well as several file-hosting and sharing platforms like Anonfiles and Gofile.
Cybercriminals are increasingly adopting the practice of incorporating open source code into their malware, as it enables them to develop complex and tailored assaults at a low cost.