The payment form also asks for users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details. When the user visits the URL: hxxp://lindesbergparkeringsanmarkningnetlify, it opens a fake payment form with a name and logo related to Lindesbergs kommun which asks the users to pay 300 SEK(Swedish krona, the national currency of Sweden).
Figure 3 – Spreading and Crypting Services Telegram Post Interestingly, the TA also provides spreading and crypting services for the ones who purchase this stealer, as shown below. Figure 2 – Typhon Stealer Telegram Channel The TA sells this stealer via a lifetime subscription model for $50. The below images show the Typhon stealer is updated through a Telegram channel, where the TA is actively working on releasing updates for the stealer. The TAs has also created a Telegram channel to communicate with the people who want to purchase Typhon stealer services. The developer of the stealer has also added a module for delivering XMRig CryptoMiner, which appears to be either in a development stage or the TA who generated this stealer using a builder did not add this functionality. We observed that this malicious program is based on Prynt Stealer and can steal data from multiple applications. Figure 1 – Content of LNK FileĬyble Research Labs also downloaded the Windows executable and performed a deep dive analysis on it.
The below image shows the content of the.
lnk file, it further executes a PowerShell command, downloads Typhon stealer from the remote server, and executes it. Upon analyzing the mentioned URL, we identified that it also hosts a phishing page that impersonates Lindesbergs Kommun (a municipality in Örebro County in central Sweden) to steal users’ sensitive information such as name, Social Security Number (SSN), ORT, and Credit/Debit card details and sends it to the Threat Actor’s (TAs) server. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted. New stealer developing Crypto Miner capabilitiesĭuring a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe.
0 kommentar(er)
