Crypto-clipping malware ‘Styx Stealer’ targets Windows computers
Styx Stealer, a new malware, stealthily swipes cryptocurrency from Windows-based computers.
Cybersecurity firm Check Point Research first identified Styx as a beefier version of Phemodrone Stealer in April. The malware exploited a now-patched Windows vulnerability, hijacking cryptocurrency transactions and stealing sensitive data from compromised systems, such as private keys, browser cookies, and even autofill browser data.
Phemodrone first made waves in early 2024. Unlike Styx Stealer, it focused on web browsers to drain crypto from wallets alongside other information.
Both malware exploit the same loophole in Windows Defender, the operating system’s native antivirus, taking advantage of an old vulnerability in the antivirus’s SmartScreen feature designed to warn users about potentially harmful websites and downloads.
However, Styx presents new threats with the addition of the crypto-clipping mechanism. Basically, the malware monitors the clipboard for changes and then replaces copied cryptocurrency wallet addresses with those belonging to the attacker.
Previously, the Phorpiex botnet was known to use this technique to hijack crypto transactions.
According to Check Point Research’s findings, Styx can identify wallet addresses across nine blockchains, including Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Ripple (XRP), Litecoin (LTC), Bitcoin Cash (BCH), Stellar (XLM), Dash (DASH) and Neo (NEO).
Chromium- and Gecko-based browsers, data from browser extensions, Telegram and Discord are especially vulnerable.
The malware’s builder has an autorun feature and a user-friendly graphical interface, making it easier for cybercriminals to customize and deploy it.
Styx is also equipped with basic anti-analysis techniques to mask its operations. To evade detection, it terminates processes associated with debugging tools and detects virtual machine environments. If such an environment is detected, Styx Stealer initiates self-deletion.
Available via Telegram
The malware’s distribution and sales are managed manually through the Telegram account @styxencode and the styxcrypter[.]com website. CPR has also discovered advertisements and YouTube videos that promote the malicious software.
At least 54 individuals had sent the Styx developer approximately $9,500 in payments using various cryptocurrencies like Bitcoin and Litecoin. Unlike its successor, which was free, this malware is available with a monthly license for $75, $230 for three months, and $350 for lifetime access.
The amount of crypto funds stolen or the scale of the systems infected using Styx remains unclear.
Crypto-stealing malware has also been found on Apple’s MacOS, as reported by antivirus developer Kaspersky earlier this year. The malware targeted Bitcoin and Exodus wallets by replacing the actual software with an altered version.
Hacks and thefts have become quite profitable as the crypto sector expands, with millions of dollars worth of funds lost yearly. Nevertheless, some infamous threat actors have decided to call it quits.
Last month, Angel Drainer, a drainer-as-a-service malware responsible for over $25 million in thefts, shut down operations. In November, multi-chain crypto scam service Inferno Drainer halted services.