A Vietnamese-speaking threat actor has been linked to an information theft campaign targeting government and educational organizations in Europe and Asia with a new Python-based malware called PXA hijacker.
Cisco Talos researchers Joey Chen, Alex Carkins, and Chetan Raghuprasad said the malware “targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and game software data.” . said.
“PXA Stealer has the ability to decrypt the victim’s browser master password and use it to steal saved credentials of various online accounts”
The link to Vietnam comes from the presence of Vietnamese comments and a hard-coded Telegram account called “Lonely” in a program of thefts, the latest of which includes an icon of the national flag of Vietnam and an image of the emblem of the Ministry of Public Security of Vietnam.
Cisco Talos said it observed an attacker selling Facebook and Zalo account credentials as well as SIM cards in the “Mua Bán Scan MINI” Telegram channel, which was earlier associated with another named threat actor CoralRaider. Lone None was also found to be active in another Vietnamese Telegram group run by CoralRaider called “Cú Black Ads – Dropship.”
However, it is currently unclear whether the two sets of invasions are linked or whether they are conducting their campaigns independently of each other.
“The tools shared by the attacker in the group are automated utilities designed to manage multiple user accounts. These tools include a Hotmail batch creation tool, an email extraction tool, and a Hotmail batch cookie modification tool,” the researchers said.
“The compressed packages provided by the threat often contain not only the executables for these tools, but also their source code, allowing users to modify them as needed.”
There is evidence that such programs are offered for sale through other sites, such as aehack(.)com, which claim to provide free hacking and cheating tools. Instructions for using these tools are distributed through YouTube channelsfurther emphasizing that there is a concerted effort to sell them.
The attack chains that distribute PXA Stealer start with a phishing email that contains an attached ZIP file that includes a Rust-based bootloader and a hidden folder that in turn contains several Windows batch scripts and a spoofed PDF file.
Executing the loader launches batch scripts responsible for opening an attractive document, a Glassdoor job application form, and executing PowerShell commands to download and run a payload capable of disabling antivirus programs running on the host, then deploying the theft itself.
A notable feature of PXA Stealer is its focus on stealing Facebook cookies, using them for session authentication, and interacting with the Facebook Ads Manager and Graph API to collect more detailed account information and related ad-related information.
Targeting Facebook business and advertising accounts was a repeating pattern among Vietnamese threat actors, and PXA Stealer is no different.
The disclosure comes as IBM X-Force detailed an ongoing campaign from mid-April 2023 that provides StrelaStealer victims across Europe, especially in Italy, Spain, Germany and Ukraine. The activity was attributed to a “fast-growing” Initial Access Broker (IAB) it tracks as Hive0145, which is believed to be the sole operator of the hijacker malware.
“The phishing emails used by these companies are real invoice notifications that have been stolen via previously stolen email credentials,” researchers Gola Muir, Joe Fassula and Charlotte Hammond said. “StrelaStealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird.”
The popularity of malware-stealing programs is evidenced by the continuous evolution of such families as RECORD STYLE (aka RecordBreaker or Raccoon Stealer V2) and Rhadomantisand the constant appearance of new ones The amnesiac thief and Glove Stealer notwithstanding efforts of law enforcement agencies tear them down.
“The Glove Thief uses a special support module to get around application-specific encryption by using IElevator service,” Gen Digital researcher Ian Rubin said. “So far, it has been observed spreading through phishing emails that resemble Click Fixit itself also tries to simulate a debugging tool that users can use when troubleshooting problems they may have encountered.”
