November 15, 2024 at 06:51AM
A Vietnamese-speaking threat actor is using a new malware, PXA Stealer, to target government and educational institutions in Europe and Asia, stealing sensitive information, including credentials and financial data. The malware is delivered via phishing emails and is associated with a Telegram group selling compromised account credentials.
### Meeting Takeaways – November 15, 2024
**Topic: Malware / Credential Theft**
1. **Threat Landscape Overview**:
– A new Python-based malware known as **PXA Stealer** has been linked to a Vietnamese-speaking threat actor, primarily targeting government and educational institutions in Europe and Asia.
2. **Malware Capabilities**:
– PXA Stealer focuses on extracting sensitive information, including:
– Login credentials for online accounts (e.g., Facebook, VPN, FTP)
– Financial data
– Browser cookies
– Gaming software data
– Specifically, it can decrypt browser master passwords to extract stored credentials.
3. **Attribution and Tactics**:
– Links to Vietnam identified through Vietnamese comments in the malware and a hard-coded Telegram account named **”Lone None”** that features symbols indicating its Vietnamese origin.
– PXA Stealer’s operator also appears to have sold compromised Facebook and Zalo account credentials in a Telegram channel, suggesting possible links to another threat actor, **CoralRaider**.
4. **Tool Distribution and Marketing**:
– The attacker distributes automated tools for managing user accounts, including:
– Hotmail batch creation
– Email mining
– Hotmail cookie modification
– These tools come with their source code, allowing modification by the users.
– The marketing of such tools is further supported by online platforms and YouTube tutorials.
5. **Attack Vectors**:
– Propagation of PXA Stealer typically involves a **phishing email** with a ZIP file containing:
– A Rust-based loader
– Batch scripts
– A decoy PDF (e.g., a Glassdoor job application form)
– The attack involves disabling antivirus defenses before deploying the stealer.
6. **Focus on Social Media Accounts**:
– Special emphasis on stealing Facebook cookies to access sessions and gather details via Facebook Ads Manager and Graph API, indicative of a pattern among Vietnamese threat actors.
7. **Ongoing Threats**:
– IBM X-Force reports a related campaign delivering **StrelaStealer** since mid-April 2023, specifically targeting credentials from Outlook and Thunderbird, linked to a rapidly maturing initial access broker known as **Hive0145**.
8. **Evolving Malware Trends**:
– The stealer malware category continues to evolve, with various families like **RECORDSTEALER, Rhadamanthys**, and newcomers such as **Amnesia Stealer** and **Glove Stealer** emerging in the landscape despite law enforcement efforts against them.
9. **Conclusion**:
– The meeting underscores the increasing sophistication of malware threats and the need for continual vigilance and improved defenses across impacted sectors.
For continued updates and insights, follow us on Twitter and LinkedIn for more exclusive content.