HQ/EMEAFind out how we can help your business
The new and upgraded variant of the Typhon Stealer crypto miner, Typhon Reborn, has updated its codebase, granting it new capabilities. The malware developers of the cryptominer have launched a new V2 strain that includes new functionalities and codebase changes to avoid threat analysis.
Researchers have recently reported the discovery of the new Typhon Reborn V2 strain. The cryptominer developer has already received payments from different sources, implying that the tool has attracted several threat groups.
Some researchers also claimed that they have already recorded several samples of the new variant in the wild, indicating that the cybercriminal has already used the tool. The earliest discovered instances appeared in December last year.
The new Typhon Reborn has increased abilities to counter cyber defences.
According to investigations, the Typhon Reborn V2 has added several layers of anti-VM and anti-analysis tools. Moreover, the threat actors claimed that they had refactored Typhon’s codebase, removing features such as keylogging to bypass security detections within a targeted system.
However, the group included a new logic that prevents malware execution of an infected device with specific criteria they do not address. For example, the Typhon Reborn V2 checks the system’s usernames, apps, processes, and CPUIDs.
Furthermore, it runs an emulation check and performs debugging operations before compromising a targeted system.
In one recent incident, the malware developers removed a code for establishing persistence. However, the malware could terminate after its operators complete the data exfiltration process.
Researchers first identified Typhon Reborn in August of last year. The malicious tool could steal data from different entities like VPNs, browsers, gaming applications, messaging devices, and crypto wallets.
Furthermore, the new variant has more malicious features and anti-defence techniques than the previous Typhon Stealer. Experts explained that this tool prioritises targeting MS Edge browser extensions such as Yoroi, Rabet, and Metamask wallets. Lastly, it uses Telegram API to exfiltrate the collected information to its operators.
Cybersecurity experts suggest that organisations consistently review their systems since the new Typhon Reborn could bypass even the most potent defences.
