Threat Research: Typhon Reborn, Again.

Summary: What is Typhon?

The creator of Typhon Reborn announced the release of version 2 of the information stealer in early 2023. This is the third iteration of Typhon in less than a year with version 2 boasting new features, including anti-analysis and anti-virtual machine (VM) capabilities. Like its predecessors, it is available for sale on underground forums for a monthly, yearly, or a lifetime subscription. These rapid updates highlight the creator’s motivation to increase Typhon’s capabilities to remain relevant in the evolving cyber landscape.

Typhon Evolution

Originally based on Prynt Stealer malware, Typhon Stealer was first observed in August 2022. At the time its primary capabilities included keylogging, stealing access tokens from applications, and clipping data from web browsers. The original version additionally offered the delivery of XMRig CryptoMiner, but at the time of release it was assessed to only be in development. In November 2022, the developer announced an update to the malware and released it with the new name, “Typhon Reborn.” This update included block listed usernames and countries, new message clients, and a crypto-extension stealer. It also featured a host of new anti-analysis checks and an improved stealer and file grabber.

Typhon Reborn v2 – What’s New?

In January 2023, Typhon Reborn received yet another upgrade with enhanced anti-analysis and anti-virtual machine (VM) checks. Typhon’s developer stated significant changes were included in the update, having specifically refactored the codebase and removed several functions. The removal of the keylogging and crypto-mining features make the malware less noisy and more likely to evade detection by various security tools. Most notably, the code related to establishing persistence was removed in this upgrade, opting instead to terminate itself after completing the exfiltration process. On the other hand, new logic was added to perform debugger and emulation checks, as well as verify usernames, central processing unit identification (CPUIDs), and applications and processes running on the host before infecting a system. Version 2 also comes with options to avoid infecting systems located in the Commonwealth of Independent States (CIS); however, it excludes Ukraine and Georgia. Version 2 continues to use the Telegram API to send the exfiltrated data back to the attacker. Typhon is currently being advertised on underground forums for $59 per month, $360 per year, or a lifetime subscription for $540. This is relatively inexpensive compared to other competing infostealers currently on the market.

Conclusion: Protection Against Typhon Reborn

Cybercrime is impacting businesses of all sizes as criminals can buy access to networks and malware at fairly low costs. The low cost, increased evasion tactics and anti-analysis features have made Typhon Reborn version 2 an appealing malware to threat actors. It is likely that the threat actors behind Typhoon Reborn will actively update coding and features offered within the malware to attract more cybercriminals. It is recommended that organizations inventory externally facing services to reduce the attack surface available to threat actors. Additionally, companies should continue employee training and strengthening of email security solutions to detect and stop threat actors before they can penetrate network perimeters.

_______________________________________________________________________________________________________________

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: