Insights, news, education and announcements from PolySwarm

PXA Stealer

Written by The Hivemind | Nov 22, 2024 6:54:18 PM

Verticals Targeted: Government, Education 

Executive Summary

PXA Stealer was used in an information-stealing campaign targeting entities in the government and education sectors, located in Europe and Asia.

Key Takeaways

  • PXA Stealer was used in an information-stealing campaign targeting entities in the government and education sectors, located in Europe and Asia.
  • PXA Stealer is written in Python and is capable of stealing credentials for online accounts, VPN clients, FTP clients, and financial institutions.
  •  PXA Stealer can decrypt a victim’s master browser password, allowing it to steal saved credentials.
  • Telegram accounts linked to this activity indicate the threat actors behind PXA Stealer may be associated with or have operational overlap with Vietnamese threat actor group CoralRaider. 

What is PXA Stealer?

PXA Stealer was used in an information-stealing campaign attributed to Vietnamese-speaking threat actors. The campaign was observed targeting entities in the government and education sectors, located in Europe and Asia. Cisco Talos recently reported on PXA Stealer. 

The PXA Stealer infection chain begins with a phishing email containing a ZIP file. The ZIP file holds a Rust-based loader and a hidden folder that contains multiple Windows batch scripts and a decoy PDF. The decoy PDF is a Glassdoor job application form. When the loader triggers the batch scripts and opens the decoy PDF, it also runs PowerShell commands that download and run a payload. This disables antivirus programs prior to deploying PXA Stealer. 

PXA Stealer is written in Python and is capable of stealing credentials for online accounts, VPN clients, FTP clients, and financial institutions. It can also steal browser cookies, crypto wallet information, and gaming data. PXA Stealer can decrypt a victim’s master browser password, allowing it to steal saved credentials. The threat actors behind PXA Stealer demonstrate at least a moderate level of sophistication, as evidenced by the obfuscation techniques used for the batch scripts. 

Who is Behind PXA Stealer?

Cisco Talos researchers noted they assess the malware to be written by Vietnamese-speaking threat actors due to use of code comments written in Vietnamese and a hard-coded link to a Telegram account “Lone None”, which uses Vietnamese imagery on its profile. Cisco Talos researchers observed the threat actors selling stolen credentials in a Telegram channel known as “Mua Bán Scan MINI”, which has been associated with the threat actor group CoralRaider in the past. Additionally, Lone None has been active on the Telegram group “Cú Black Ads - Dropship”, which is also associated with CoralRaider. Based on this information, it is possible the threat actors behind PXA Stealer are associated with or have operational overlap with Vietnamese threat actor group CoralRaider. However, it was unclear whether CoralRaider is responsible for PXA Stealer. 

IOCs

PolySwarm has multiple samples of PXA Stealer.

 

bc15114841e39203b4e0f5d2cdeef11cc4eceba99eb0c3074a1c6d7b3968404a

a9e3f6b9047b5320434bc7b64f4ba6c799d2b6919d41ed32e9815742f3c10194

 

You can use the following CLI command to search for all PXA Stealer samples in our portal:

$ polyswarm link list -f PXAStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post