In early August 2022, the Cyble Research Labs team discovered a new Typhon Stealer crypto miner. Recently, experts have revealed an updated version called Typhon Reborn. Both versions have the ability to steal crypto wallets, track keystrokes, and bypass antivirus products.
The new version of Typhon Reborn has improved anti-analysis methods and added new features for stealing data and files.
In his Telegram channel, the author of Typhon Reborn also stated that the current price of the malware is $100 for a lifetime license.
New Typhon Reborn features include:
- list of blocked usernames and countries;
- new message clients;
- cryptocurrency interceptor from extensions for Google Chrome and Microsoft Edge (Binance, Metamask, Bitapp, Coin98 and others).
The author also removed several existing functions - a keylogger, as well as the functions of intercepting the clipboard and cryptomining. Experts suggested that removing these features should reduce the chance of being detected by antivirus. According to the Typhon Reborn developer, the removed options will be moved to separate author projects in the future.
Typhon Reborn's anti-analysis feature, once launched, runs a method called MeltSelf that kills the threat process and removes itself from disk. It is noteworthy that after entering the system, Typhon Reborn performs several checks before starting the MeltSelf process. If the following conditions are met, the MeltSelf process starts automatically.
- Checking debug arguments (If the command line argument contains the word "--debug");
- Checking the size of the physical disk (If the disk in Windows 7 and 10 is less than 30 GB, and in Windows 11 it is less than 70 GB);
- Checking malware analysis processes (If the protection system detects Typhon Reborn);
- Single instance check (If multiple instances of malware are running, Typhon Reborn will terminate to avoid instances competing for system resources);
- Checking the username (If the malware is launched under a specific username);
- Country check (If the user is from CIS countries).
Typhon Reborn also collects additional data about the victim and sends them to the operator's Telegram channel:
- Username;
- Operating system information;
- Installed anti-virus software;
- Information about the wireless network and Wi-Fi network passwords;
- Network interface data;
- Language.
Typhon Stealer provides attackers with an easy-to-use constructor. Typhon Reborn's custom configurations lower the required technical skill set for prospects. New Typhon Reborn anti-analysis methods are evolving in line with industry trends, becoming more effective in evasive tactics and expanding the toolbox for stealing victims' data.