Contact Us

Typhon Reborn V2: Info-stealer reappears with advanced anti-analysis capabilities

Information stealer Typhon was first made public in mid-2022. It specifically targeted Microsoft Edge’s web browser extensions for Yoroi, Metamask, and Rabet wallets, and used Telegram API to send the harvest data back to attackers. It has returned in an altered form (V2) with enhanced powers to avoid detection and withstand analytical components. The codebase of Typhon Reborn, an improved version of the Typhon Stealer cryptocurrency miner, has received a significant upgrade. To avoid detection by security systems, attackers claimed to have completely refactored the malware’s coding and removed functionality like keylogging and cryptomining.

The virus uses Base64 encoding and the XOR method to obfuscate strings to make analysis more difficult. Typhon Reborn V2’s main() routine examines the malware settings to see if anti-analysis has been activated before starting to run. If it is turned on, the malware will try to run a number of anti-analysis tests to see if it is being run in a sandbox or an analysis environment. If any of the tests are unsuccessful, a batch file is then run through Windows’ command processor, stopping the malware’s activity.

Along with adding further anti-analysis and anti-virtualization safeguards, Typhon Reborn V2 does away with its persistence capabilities and instead chooses to shut down after stealing the data. The virus finally uses the Telegram API to transfer the data it has acquired in a compressed package over HTTPS, continuing misuse of the messaging service. The archive is then removed from the compromised system when the data has been successfully transferred to the attacker.

The stealer and file grab functions have been enhanced in this latest version, which also includes more advanced anti-analysis measures. It includes stealing data from crypto wallets, messaging, FTP, VPN, browsers, and gaming applications, as well as hijacking clipboard material, taking screenshots, recording keystrokes, and more.

References:

  1. https://www.bleepingcomputer.com/news/security/typhon-info-stealing-malware-devs-upgrade-evasion-capabilities/
  2. https://thehackernews.com/2023/04/typhon-reborn-stealer-malware.html

Related Articles

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Critical CVSS 10 vulnerability in PAN-OS sparks urgent action

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!