A pair of cybercriminals inadvertently leaked a “treasure trove” of information on their own operations due to exposure of Telegram Bot API tokens used by the hackers to exfiltrate victim data, Check Point researchers revealed last week.
The discovery of a Telegram bot token in the configuration file of a malware sample that came from one of Check Point’s customers led the researchers down a rabbit hole that ultimately exposed the operators of the Styx Stealer malware-as-a-service (MaaS) and the Agent Tesla malware campaign.
The threat actors both used Telegram’s infrastructure via the Telegram Bot API to exfiltrate data stolen from victims, a stealthier method than utilizing their own infrastructure. However, this method left the Telegram bot token behind in the malware files, which Check Point was able to decrypt and use to access information from the bot associated with the Agent Tesla campaign.
While monitoring the Agent Tesla bot, called joemmBot, the researchers noticed an unusual archive that differed from reports typically uploaded by the Agent Tesla threat actor, which contained information pertaining to the infostealer called Styx Stealer.
Styx Stealer is an infostealer based on Phemedrone Stealer that first appeared in April 2024 as an MaaS offering and includes many of the same core capabilities as Phemedrone, namely the ability to steal browser data, cryptocurrency wallet data, location data, messaging service sessions and certain files from the victim’s computer.
Styx Stealer also adds some additional evasion capabilities, an updated builder and graphical user interface (GUI), and a crypto-clipping function, which scans the victim’s clipboard for cryptocurrency wallet addresses and replaces these addresses to direct transactions to the attacker’s own wallet.
It was through the Styx Stealer operator’s plan to add Telegram-based data exfiltration to the malware’s features that led to the lapse in operational security.
Hacker buddies’ Telegram chats shed light on malware schemes
The Check Point researchers wrote that they were able to leverage the joemmBot token associated with Agent Tesla to gain access to communications between the Styx Stealer operator, known as "Sty1x," and a user named "Mack_Sant." These Telegram conversations revealed that Mack_Sant suggested Sty1x use the Telegram Bot API for data exfiltration, leading the former to send the joemmBot token and chatID to the latter.
While debugging Styx Stealer, Sty1x uploaded an archive file from his computer to Telegram via joemmBot, leading to its discovery by Check Point. This archive included a trove of information including user data from two Telegram accounts operated by Sty1x, phone numbers used by Sty1x and screenshots showing the Visual Studio IDE interface during the debugging process of the Styx Stealer executable.
Through login records from Sty1x’s Telegram accounts, styxencode and cobrasupports, that were included in the archive, Check Point determined styxencode operated from Turkey; this was also corroborated by the Turkish country code of one of Sty1x’s phone numbers and the Turkish-language interface seen in the Visual Studio IDE screenshot.
The researchers were also able to determine the approximate number of Styx Stealer customers, who are required to contact the styxencode Telegram account in order to obtain the malware license. The team counted 54 customers and also identified eight cryptocurrency wallets used by Sty1x to accept customer payments.
The conversations between Sty1x and Mack_Sant also revealed information about Mack_Sant’s cybercrime activities, including his use of the Origin malware and targeting of users based in China. Further investigation yielded the token and chat ID of a Telegram bot created through the cobrasupports account, called kralboting_bot, through which the researchers uncovered more Styx Stealer reports.
These reports again revealed the location and IP address of Sty1x, but one report was uploaded by a different user called "Fucos." By synthesizing information from this report and the Telegram conversations between the two hackers, the researchers realized that Fucos was, in fact, Mack_Sant, who had used Sty1x’s kralboting_bot to test Styx Stealer on his own computer.
The report uploaded by Fucos revealed Fucos’/Mack_Sant’s IP address and location in Lagos, Nigeria. The username Fucos was also known to be used by the operator of the Agent Tesla campaign, bringing the investigation full circle.
The researchers noted that Sty1x’s downfall may have come from his use of an older version of Phemedrone to build Styx Stealer, as the latest version of Phemedrone encrypts all data sent to Telegram with a unique key for each campaign.
