Summary of Key Points:
- Styx Stealer malware targets Windows computers to steal cryptocurrency.
- Phemodrone Stealer is a similar malware that focuses on web browsers for crypto theft.
- Both malwares exploit a loophole in Windows Defender to carry out their attacks.
- Styx monitors the clipboard to replace copied crypto wallet addresses with the attacker’s.
- Styx can identify wallet addresses for nine different blockchains.
- The malware is distributed and sold via Telegram and a website, with payment options in cryptocurrencies.
- Crypto-stealing malware has also been found on Apple’s MacOS.
- Recent shutdowns of high-profile crypto malware operations have been reported.
Styx Stealer Malware and Cryptocurrency Theft
The Styx Stealer malware is designed to covertly steal cryptocurrency from Windows-based computers. Check Point Research identified Styx as an advanced version of Phemodrone Stealer that exploited a patched Windows vulnerability. This malware targeted cryptocurrency transactions, hijacking them to steal sensitive data like private keys, browser cookies, and autofill browser data.
Exploiting Windows Defender Vulnerability
Both Styx Stealer and Phemodrone Stealer take advantage of a loophole in Windows Defender, the native antivirus of the operating system. By exploiting an old vulnerability in Windows Defender’s SmartScreen feature, the malware can evade detection and carry out its malicious activities. Styx introduces a new threat by monitoring the clipboard for changes and replacing copied cryptocurrency wallet addresses with those of the attacker.
Distribution and Pricing of Styx Stealer
Styx Stealer’s distribution and sales are managed manually through a Telegram account and a dedicated website. The malware is available for purchase with different licensing options, ranging from a monthly license to lifetime access. The total amount of cryptocurrency stolen using Styx and the extent of infected systems remain unclear, highlighting the ongoing challenge of crypto theft in the digital realm.
