Category | Details |
---|---|
Threat Actors | Vietnamese-speaking attacker. Potentially linked to the CoralRaider group or another Vietnamese cybercrime group. |
Campaign Overview | Aimed at information theft using the PXA Stealer malware. Targets sensitive information, such as credentials, browser data, cryptocurrency wallets, and more. Includes phishing attacks with ZIP files containing malicious executables. |
Target Regions | Education sector in India and government organizations in Europe (e.g., Sweden, Denmark). |
Methodology | Complex obfuscation techniques, phishing emails with malicious attachments, using Telegram bots for exfiltration, leveraging compromised or rented domains for hosting malicious scripts. |
Product Targeted | Web browsers (Chrome, Firefox, Edge, etc.), cryptocurrency wallets, VPN clients, FTP clients, gaming software, and password managers. |
Malware Reference | PXA Stealer, which decrypts browser master passwords, retrieves sensitive data, and exfiltrates it to the attacker. |
Tools Used | – Hotmail batch creation tool – Hotmail cookie batch modification tool – Email mining tool – Automated tools for managing user accounts – Portable Python executables for malware execution. |
Vulnerabilities Exploited | No specific CVEs mentioned. Relies on phishing for initial access and exploits system and browser mechanisms for data decryption. |
TTPs | – Phishing emails with ZIP attachments containing malicious executables – Using obfuscated batch scripts and PowerShell commands – Leveraging Telegram bots for data exfiltration – Malware-hosting domains (e.g., tvdseo[.]com) – Establishing persistence through registry changes and startup folder modifications. |
Attribution | Likely Vietnamese origin, based on language, comments in the malware, and activities in Vietnamese Telegram groups. Associated with underground channels like “Mua Bán Scan MINI”. |
Recommendations | – Monitor and block suspicious domains (e.g., tvdseo[.]com). – Educate users on phishing awareness. – Implement endpoint detection solutions. – Use multi-factor authentication (MFA) for critical accounts. – Regularly audit and restrict access to sensitive data. – Update and patch systems regularly to reduce vulnerabilities. |
Source | Cisco Talos Blog. |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply