Typhon Reborn V2: Info-stealer reappears with advanced anti-analysis capabilities

Information stealer Typhon was first made public in mid-2022. It specifically targeted Microsoft Edge’s web browser extensions for Yoroi, Metamask, and Rabet wallets, and used Telegram API to send the harvest data back to attackers. It has returned in an altered form (V2) with enhanced powers to avoid detection and withstand analytical components. The codebase of Typhon Reborn, an improved version of the Typhon Stealer cryptocurrency miner, has received a significant upgrade. To avoid detection by security systems, attackers claimed to have completely refactored the malware’s coding and removed functionality like keylogging and cryptomining.

The virus uses Base64 encoding and the XOR method to obfuscate strings to make analysis more difficult. Typhon Reborn V2’s main() routine examines the malware settings to see if anti-analysis has been activated before starting to run. If it is turned on, the malware will try to run a number of anti-analysis tests to see if it is being run in a sandbox or an analysis environment. If any of the tests are unsuccessful, a batch file is then run through Windows’ command processor, stopping the malware’s activity.

Along with adding further anti-analysis and anti-virtualization safeguards, Typhon Reborn V2 does away with its persistence capabilities and instead chooses to shut down after stealing the data. The virus finally uses the Telegram API to transfer the data it has acquired in a compressed package over HTTPS, continuing misuse of the messaging service. The archive is then removed from the compromised system when the data has been successfully transferred to the attacker.

The stealer and file grab functions have been enhanced in this latest version, which also includes more advanced anti-analysis measures. It includes stealing data from crypto wallets, messaging, FTP, VPN, browsers, and gaming applications, as well as hijacking clipboard material, taking screenshots, recording keystrokes, and more.

References:

  1. https://www.bleepingcomputer.com/news/security/typhon-info-stealing-malware-devs-upgrade-evasion-capabilities/
  2. https://thehackernews.com/2023/04/typhon-reborn-stealer-malware.html
SISA’s Latest
close slider