Ethical Hacking News
A new piece of malware has emerged, targeting government and education entities in Europe and Asia with the PXA Stealer tool. This Python-based information-stealing malware targets sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software.
PXA Stealer is a Python-based information-stealing tool targeting sensitive information in government and education entities. The malware has connections to Vietnam due to Vietnamese comments and a Telegram account named "Lone None". The attackers are selling Facebook and Zalo account credentials, as well as SIM cards, in a Telegram channel. The tools shared by the attacker include automated utilities for managing user accounts, such as Hotmail batch creation tools. The attack chain begins with a phishing email containing a ZIP file attachment that triggers a Rust-based loader and PowerShell commands to disable antivirus programs. PXA Stealer focuses on stealing Facebook cookies to authenticate sessions and gather ad-related information. StrelaStealer is another malware targeting Microsoft Outlook and Mozilla Thunderbird user credentials, spread via phishing emails resembling real invoice notifications. Stealer malware continues to evolve and adapt despite law enforcement efforts to disrupt them.
A new piece of malware has emerged, targeting government and education entities in Europe and Asia. The malware, dubbed PXA Stealer, is a Python-based information-stealing tool that targets sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software.
According to Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad, the connections to Vietnam stem from the presence of Vietnamese comments and a hard-coded Telegram account named "Lone None" in the stealer program. This Telegram account includes an icon of Vietnam's national flag and a picture of the emblem for Vietnam's Ministry of Public Security.
The attackers have been observed selling Facebook and Zalo account credentials, as well as SIM cards, in the Telegram channel "Mua Bán Scan MINI." This channel has previously been linked to another threat actor called CoralRaider. However, it is currently unclear if these two intrusion sets are related or if they are carrying out their campaigns independently of each other.
The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool. The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed.
The attack chains propagating PXA Stealer commence with a phishing email containing a ZIP file attachment, which includes a Rust-based loader and a hidden folder that packs in several Windows batch scripts and a decoy PDF file. The execution of the loader triggers the batch scripts, which are responsible for opening the lure document, a Glassdoor job application form, while also running PowerShell commands to download and run a payload capable of disabling antivirus programs running on the host.
A noteworthy feature of PXA Stealer is its emphasis on stealing Facebook cookies, using them to authenticate a session and interacting with Facebook Ads Manager and Graph API to gather more details about the account and their associated ad-related information. This demonstrates the attackers' ability to use stolen credentials to gain access to sensitive data and resources.
The targeting of Facebook business and advertisement accounts has been a recurring pattern among Vietnamese threat actors, and PXA Stealer proves to be no different. The disclosure comes as IBM X-Force detailed an ongoing campaign since mid-April 2023 that delivers StrelaStealer to victims across Europe, specifically Italy, Spain, Germany, and Ukraine.
StrelaStealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. This malware has been observed being spread via phishing emails resembling real invoice notifications, which have been stolen through previously exfiltrated email credentials.
The popularity of stealer malware is evidenced by the continuous evolution of existing families like RECORDSTEALER (aka RecordBreaker or Raccoon Stealer V2) and Rhadamanthys, as well as the steady emergence of new ones like Amnesia Stealer and Glove Stealer. Despite law enforcement efforts to disrupt them, these stealer malware continue to evolve and adapt.
The discovery of PXA Stealer highlights the ongoing threat landscape in the cybersecurity world. It is essential for organizations to remain vigilant and take proactive measures to protect themselves against information-stealing tools like this new malware. By staying informed about emerging threats and implementing robust security measures, individuals and organizations can minimize their risk of falling victim to these types of attacks.
Related Information:
https://thehackernews.com/2024/11/vietnamese-hacker-group-deploys-new-pxa.html
Published: Fri Nov 15 08:05:02 2024 by llama3.2 3B Q4_K_M
