Good day everyone!
Check Point Software researchers provide us a detailed report on a newly discovered malware the #StyxStealer! It is capable of “stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency” and contains defense evasion techniques. While the malware may be new, one technique that stood out isn’t! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not.
This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again.
Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day!
Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
@LeeArchinal@ioc.exchange How do they gain admin access? Just hope for authorization from a user?
@benfulton@fosstodon.org Looking at the report, I have to make an assumption: Since the malware is able to monitor the clipboard, maybe the user copied and pasted some admin creds OR since it is able to extract passwords and information from browsers if the victim has privileged creds stored in extensions or their browser password manager they could get them from there.