Press ESC to close

New PXA Stealer targets government and education sectors for sensitive information

CategoryDetails
Threat ActorsVietnamese-speaking attacker. Potentially linked to the CoralRaider group or another Vietnamese cybercrime group.
Campaign OverviewAimed at information theft using the PXA Stealer malware. Targets sensitive information, such as credentials, browser data, cryptocurrency wallets, and more. Includes phishing attacks with ZIP files containing malicious executables.
Target RegionsEducation sector in India and government organizations in Europe (e.g., Sweden, Denmark).
MethodologyComplex obfuscation techniques, phishing emails with malicious attachments, using Telegram bots for exfiltration, leveraging compromised or rented domains for hosting malicious scripts.
Product TargetedWeb browsers (Chrome, Firefox, Edge, etc.), cryptocurrency wallets, VPN clients, FTP clients, gaming software, and password managers.
Malware ReferencePXA Stealer, which decrypts browser master passwords, retrieves sensitive data, and exfiltrates it to the attacker.
Tools Used– Hotmail batch creation tool
– Hotmail cookie batch modification tool
– Email mining tool
– Automated tools for managing user accounts
– Portable Python executables for malware execution.
Vulnerabilities ExploitedNo specific CVEs mentioned. Relies on phishing for initial access and exploits system and browser mechanisms for data decryption.
TTPs– Phishing emails with ZIP attachments containing malicious executables
– Using obfuscated batch scripts and PowerShell commands
– Leveraging Telegram bots for data exfiltration
– Malware-hosting domains (e.g., tvdseo[.]com)
– Establishing persistence through registry changes and startup folder modifications.
AttributionLikely Vietnamese origin, based on language, comments in the malware, and activities in Vietnamese Telegram groups. Associated with underground channels like “Mua Bán Scan MINI”.
Recommendations– Monitor and block suspicious domains (e.g., tvdseo[.]com).
– Educate users on phishing awareness.
– Implement endpoint detection solutions.
– Use multi-factor authentication (MFA) for critical accounts.
– Regularly audit and restrict access to sensitive data.
– Update and patch systems regularly to reduce vulnerabilities.
SourceCisco Talos Blog.

Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.

Source: Cisco Talos Blog

Published on: November 14, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *