The builders of the Typhon info-stealer introduced on a darkish net discussion board that they’ve up to date the malware to a serious model they promote as ‘Typhon Reborn V2’

They boast vital enhancements designed to thwart evaluation by way of anti-virtualization mechanisms.

The unique Typhon was found by malware analysts in August 2022. Cyble Research Labs analyzed it on the time and located that the malware mixed the primary stealer element with a clipper, a keylogger, and a crypto-miner.

Whereas the preliminary model was offered by way of Telegram for a single lifetime fee of $50, the malware builders additionally provided to distribute Typhon for roughly $100 per 1,000 victims.

Cisco Talos analysts report that the brand new model began being promoted on the darkish net since January and has been bought a number of instances. Hoever, the researchers found samples of the most recent model within the wild that dated since December 2022.

New model variations

In line with Cisco Talos, the codebase for Typhon V2 has been closely modified to make the mallicious code extra strong, dependable, and secure.

The string obfuscation has been improved utilizing Base64 encoding and XOR, which makes evaluation of the malware a tougher job.

The researchers observed a extra extra complete mechanism for avoiding the an infection of research machines, with the malware now taking a look at a wider vary of standards, together with usernames, CPUIDs, functions, processes, debugger/emulation checks, and geolocation knowledge earlier than operating the malicious routines.

The malware can exclude Commonwealth of Unbiased States (CIS) nations or it might comply with a user-supplied customized geolocation record.

Essentially the most notable new characteristic is Typhon’s course of to examine if it runs on a sufferer’s setting, and never a simulated host on a researcher’s laptop.

This consists of checking for GPU info, the presence of DLLs related to safety software program, the video controller for VM indicators, performing registry checks, usernames, and even checking for the presence of Wine, an emulator of Home windows.

Extra stealing capabilities

Information assortment capabilities have been expanded within the newest model of Typhon because it now targets a bigger variety of apps, together with gaming purchasers. Nonetheless, it appears to be like just like the characteristic remains to be un the works as a result of it was inactive within the samples analyzed by Cisco Talos.

Typhon nonetheless targets a number of e mail purchasers, messaging apps, cryptocurrency pockets apps and browser extensions, FTP purchasers, VPN purchasers, and data saved in net browsers. It might probably additionally seize screenshots from the compromised machine.

One other new characteristic is a brand new file grabber element that enables the operators to seek for and exfiltrate particular information from the sufferer’s setting.

The info is stolen by way of HTTPS utilizing the Telegram API, which was the tactic of selection within the authentic model of the malware too.

The emergence of Typhon Reborn V2 represents a big evolution for the MaaS and confirms the builders’ dedication to the undertaking.

Cisco Talos’ evaluation may also help malware researchers give you correct detection mechanisms for the brand new Typhon model, since its comparatively low price and capabilities are more likely to enhance its recognition.

Indicators of compromise (IoCs) for Typhon v2 can be found from Cisco Talos’ repository on GitHub here.