The use of a familiar Bot API for data exfiltration leads to the authentication token being derived from malware sample

Recently, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency assets was discovered by cybersecurity — due to a hacker’s negligence.

The malware is derived from Phemedrone Stealer, notorious for exploiting the CVE-2023-36025 vulnerability in the Microsoft Windows Defender SmartScreen function. While it inherits the former malware’s core functions, this derivative includes enhanced capabilities: a persistence mechanism; a clipboard monitor and crypto-clipper, and additional sandbox evasion, and anti-analysis techniques.

Dubbed Styx Stealer by its authors on the sales ad on the Dark Web, the malware is capable of stealing cryptocurrency during a transaction, by substituting the original wallet address saved in the clipboard with the attacker’s wallet address. The persistence mechanism ensures that the malware remains active on the victim’s system even after a reboot, allowing the crypto-clipper to operate continuously, and increasing the chances of successful cryptocurrency theft.

However, despite its powerful evasion features, Styx Stealer also harbors a “fatal error” made by its developer(s). The campaign uses the Telegram Bot API for data exfiltration. However, this method has a significant flaw: each malware sample must contain a ‘bot token’ for authentication. Decrypting the malware to extract this token provides access to all data sent via the bot, exposing the recipient account. Subsequently, via this approach, researchers managed to intercept a document from the debugging processes in the developer’s computer. The intercepted file contained screenshots of the Visual Studio integrated development environment project “PhemedroneStealer” featuring a Telegram Bot token and chat ID — matching what a sample of Agent Tesla contains.

Before long, all the intercepted clues had led to Check Point Research analysts connecting the dots and even intercepting other files that reveal the threat group’s operational details.

According to the firm’s blog, “The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts… the slightest mistake can lead to the de-anonymization and exposure of not only the individuals involved but also their associates, as demonstrated in this case. Even if these criminals are not arrested after being exposed, they will be fully aware that their activities will be under close watch. Continuing their criminal actions only strengthens the evidence against them.”