| Category | Details |
|---|---|
| Threat Actors | Vietnamese-speaking attacker. Potentially linked to the CoralRaider group or another Vietnamese cybercrime group. |
| Campaign Overview | Aimed at information theft using the PXA Stealer malware. Targets sensitive information, such as credentials, browser data, cryptocurrency wallets, and more. Includes phishing attacks with ZIP files containing malicious executables. |
| Target Regions | Education sector in India and government organizations in Europe (e.g., Sweden, Denmark). |
| Methodology | Complex obfuscation techniques, phishing emails with malicious attachments, using Telegram bots for exfiltration, leveraging compromised or rented domains for hosting malicious scripts. |
| Product Targeted | Web browsers (Chrome, Firefox, Edge, etc.), cryptocurrency wallets, VPN clients, FTP clients, gaming software, and password managers. |
| Malware Reference | PXA Stealer, which decrypts browser master passwords, retrieves sensitive data, and exfiltrates it to the attacker. |
| Tools Used | - Hotmail batch creation tool - Hotmail cookie batch modification tool - Email mining tool - Automated tools for managing user accounts - Portable Python executables for malware execution. |
| Vulnerabilities Exploited | No specific CVEs mentioned. Relies on phishing for initial access and exploits system and browser mechanisms for data decryption. |
| TTPs | - Phishing emails with ZIP attachments containing malicious executables - Using obfuscated batch scripts and PowerShell commands - Leveraging Telegram bots for data exfiltration - Malware-hosting domains (e.g., tvdseo[.]com) - Establishing persistence through registry changes and startup folder modifications. |
| Attribution | Likely Vietnamese origin, based on language, comments in the malware, and activities in Vietnamese Telegram groups. Associated with underground channels like “Mua Bán Scan MINI”. |
| Recommendations | - Monitor and block suspicious domains (e.g., tvdseo[.]com). - Educate users on phishing awareness. - Implement endpoint detection solutions. - Use multi-factor authentication (MFA) for critical accounts. - Regularly audit and restrict access to sensitive data. - Update and patch systems regularly to reduce vulnerabilities. |
| Source | Cisco Talos Blog. |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply