Unit 42 recently discovered updated version of typhon miner/stealer Which is having increased anti analysis technique and more malicious Features.
Threat actor Selling his Creation by an underground website Where he is showing the latest feature of his Malware . In his updated version he Remove keylogger and clipper and miner .Author selling this product via Telegram channel and the current price for this stealer is USD 100 for a lifetime subscription. Author also claim that new typhon Reborn payload size is less than 2.5 MB
Typhon Reborn was released with multiple new features and configurable options. These new features include block listed usernames and countries, new message clients and a crypto-extension stealer for Google Chrome and Microsoft Edge. The author also removed a few existing features, including the keylogging ability as well as the clipboard stealing and crypto mining features.
Keylogging and crypto mining code is typically easy to detect in dynamic analysis platforms. We speculate the removal of these features was to lower the chances of antivirus detections. The author stated in his release notes that the features that were removed, would be moved to their own projects in the future.
All of Typhon Reborn’s new anti-analysis checks, once triggered, run the cleverly named MeltSelf method, as shown in Figure 5. This method kills the threat’s process and deletes itself from the disk.
Typhon Reborn’s new anti-analysis techniques include the following:
Checking for debugging arguments
Detecting virtual machines
Checking for debuggers
Checking the size of the physical disk
Checking for well known analysis processes (blocklisting)
Checking for well known sandbox usernames
Checking for victim countryAll of Typhon Reborn’s new anti-analysis checks, once triggered, run the cleverly named MeltSelf method, as shown in Figure 5. This method kills the threat’s process and deletes itself from the disk.
Typhon Reborn’s new anti-analysis techniques include the following:
Checking for debugging arguments
Detecting virtual machines
Checking for debuggers
Checking the size of the physical disk
Checking for well known analysis processes (blocklisting)
Checking for well known sandbox usernames
Checking for victim country
No comments:
Post a Comment