EXECUTIVE SUMMARY:
A newly discovered information-stealing campaign has been identified, operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. This campaign utilizes a Python-based malware, PXA Stealer, which is designed to steal sensitive information from victims. The actor is targeting various data types, including login credentials, financial information, browser cookies, and data from gaming software, among others. The campaign demonstrates a sophisticated level of targeting, involving obfuscation techniques and infrastructure that may be compromised or misused for malicious purposes.
PXA Stealer is deployed through phishing emails containing ZIP file attachments. Once extracted, these files include a Rust-based loader that triggers several obfuscated batch scripts, leading to the installation of the stealer. The malware operates by killing security-related processes and decrypting browser master keys to extract stored credentials and other sensitive data. The stealer also collects information from cryptocurrency wallets, FTP clients, and various applications by using a variety of techniques such as decrypting data from Firefox and Chromium-based browsers. Additionally, the attacker utilizes Telegram bots for data exfiltration and may be selling stolen credentials and malicious tools on underground channels, suggesting a well-organized underground operation.
The PXA Stealer campaign highlights the increasing complexity of operations targeting sensitive data across various sectors, particularly government and education. The use of advanced obfuscation, credential theft, and exploitation of multiple software vulnerabilities reflects a strategic approach by the attacker to bypass detection and maximize the scope of their theft. The evidence of underground activities further suggests that this group may be part of a larger network, raising concerns about the potential for future, broader-scale attacks. Organizations must remain vigilant, implement robust security measures, and educate users to mitigate the risks posed by such threat actors.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1036 | Masquerading | |
| Credential Access | T1003 | OS Credential Dumping |
| T1528 | Steal Application Access Token | |
| T1552 | Unsecured Credentials | |
| Collection | T1213 | Data from Information Repositories |
| T1056 | Input Capture | |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2024/11/vietnamese-hacker-group-deploys-new-pxa.html