Threat Research

New PXA Stealer Aims at Government and Education Sectors to Extract Sensitive Information

Securonix

Summary:

Cisco Talos has uncovered a new information-stealing campaign led by a Vietnamese-speaking threat actor, targeting government and educational institutions in Europe and Asia. The campaign utilizes a Python-based malware known as PXA Stealer, which is capable of extracting sensitive information such as online account credentials, financial data, and browser cookies. The attacker employs sophisticated obfuscation techniques and operates through Telegram channels, selling stolen credentials and tools. The campaign’s infrastructure includes a domain used to host malicious scripts and tools.

Keypoints:

  • Discovery of a new information-stealing campaign by a Vietnamese-speaking threat actor.
  • The campaign targets government and education entities in Europe and Asia.
  • Utilizes a Python program called PXA Stealer to extract sensitive information.
  • PXA Stealer can decrypt browser master passwords to steal stored credentials.
  • Attacker employs complex obfuscation techniques in batch scripts.
  • Credentials and tools are sold through the Telegram channel “Mua Bán Scan MINI.”
  • Malicious scripts are hosted on the domain tvdseo[.]com.
  • Attacker uses Telegram bots for data exfiltration.
  • Tools shared in underground channels include automated utilities for managing user accounts.
  • Initial access is gained through phishing emails containing malicious ZIP files.
  • Batch scripts execute PowerShell commands to download and run malicious payloads.
  • PXA Stealer targets various types of sensitive data, including browser cookies and credit card information.
  • The attacker is linked to Vietnamese cybercrime groups but not confirmed as part of CoralRaider.

MITRE Techniques

  • Credential Dumping (T1003): PXA Stealer decrypts browser master passwords to access stored credentials.
  • Data Encrypted (T1022): The malware encrypts sensitive information before exfiltration.
  • Command and Control (T1071): Utilizes Telegram bots for exfiltrating stolen data.
  • Phishing (T1566): Initial access is gained through phishing emails with malicious attachments.
  • Obfuscated Files or Information (T1027): The attacker uses obfuscation techniques in batch scripts.
  • Exploitation for Client Execution (T1203): The malware exploits vulnerabilities in the victim’s environment to execute malicious payloads.

IoC:

  • [domain] tvdseo.com
  • [Telegram Bot Token] 7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4
  • [Telegram Bot Token] 7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs
  • [Telegram Chat ID] -1002174636072
  • [Telegram Chat ID] -1002150158011
  • [Telegram Chat ID] -4559798560
  • [Telegram Chat ID] -4577199885
  • [Telegram Chat ID] -4575205410
  • [url] hxxps://tvdseo.com/file/synaptics.zip
  • [url] hxxps://tvdseo.com/file/PXA/PXA_PURE_ENC
  • [url] hxxps://tvdseo.com/file/PXA/PXA_BOT
  • [url] hxxps://tvdseo.com/file/PXA/Cookie_Ext.zip

Full Research: https://blog.talosintelligence.com/new-pxa-stealer/

Tags: CREDENTIAL, BROWSER, INITIAL ACCESS, GOVERNMENT, full, FINANCIAL, EXFILTRATION, PHISHING