Typhon, a C# based information stealing malware that was first discovered in mid-2022, has had a new version released by the threat actors behind it. Dubbed Typhon Reborn, the new malware has a heavily modified codebase from its original version, containing many new features and evasive techniques.
String obfuscation techniques, using Base64 and XOR, within the malware payloads has improved, making it more difficult to analyze samples. A wide range of checks, such as looking at usernames and CPUIDs, debugger and emulation processes, and geolocation data, is run before the malware executes any malicious functions, in an effort to determine if it is running in a sandbox or other type of analysis environment. The geolocation check step is also used to determine if the infected system exists in certain countries; if it is found in one of the pre-determined countries, the malware will stop executing. The list of countries to exclude includes a user-supplied list as well as a list of Commonwealth of Independent States (CIS) countries.
In addition to the new anti-analysis techniques added, the threat actors behind Typhon Reborn appear to be including new stealing capabilities as well. The list of targeted apps has increased significantly, with the new inclusion of gaming clients as a target. However, the samples currently in the wild have the gaming client feature disabled, likely meaning it is still being developed.
As information stealers are most commonly distributed via phishing emails and pirated software, it is highly recommended to verify content being accessed and executed on a system. Implementing and maintaining good email security controls, such as AV scanning and sandboxing, can help prevent phishing emails from reaching an end users mailbox. Likewise, validating that the downloading of software is occurring from the software’s legitimate website is recommended to make sure a malicious payload masquerading as the software isn’t accessed instead. It is also recommended to maintain good endpoint security controls, such as an EDR, on all devices within an environment. One of the steps performed by Typhon is to reach out to a specific IP lookup website, using a specific user-agent string, to determine the geolocation of the system. Connections to this site, alongside the user-agent string, can be a good detection mechanism to determine if a system has been infected with Typhon. Likewise, the malware exfiltrates stolen data using HTTPS connections to the Telegram service’s API. These connections to Telegram’s API, particularly if Telegram is not used regularly in an organization, can be another good detection method to monitor for Typhon infections. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.