Cyber security news for all

More

    Vietnamese Hacker Group Unleashes PXA Stealer in Aggressive Campaigns Across Europe and Asia

    A Vietnamese-speaking cybercrime group has been tied to a sophisticated information-stealing operation targeting governmental and educational institutions in Europe and Asia. The campaign hinges on a newly developed Python-based malware dubbed PXA Stealer, designed to harvest sensitive data.

    Scope and Capabilities of PXA Stealer

    According to Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad, the malware’s functionality extends to stealing:

    • Credentials for online accounts, VPNs, and FTP clients.
    • Financial data and browser cookies.
    • Information from gaming platforms.

    Remarkably, PXA Stealer can decrypt browser master passwords to exfiltrate stored credentials, heightening its potency as a cyber weapon.

    Clues Linking to Vietnam

    Key evidence connecting the malware to Vietnam includes:

    1. Vietnamese-language comments embedded within the code.
    2. A hard-coded Telegram account named “Lone None,” featuring Vietnam’s national flag and the Ministry of Public Security’s emblem.

    Further investigations revealed that “Lone None” engages in illicit activities, such as selling Facebook and Zalo credentials, as well as SIM cards, through Telegram channels like “Mua Bán Scan MINI”. These activities share links with another Vietnamese group, CoralRaider, which operates Telegram groups such as “Cú Black Ads – Dropship.”

    The relationship between these two entities remains ambiguous, with no concrete proof of collaboration.

    Malware Distribution and Toolset

    The group employs a well-orchestrated distribution chain to propagate PXA Stealer. It typically begins with phishing emails carrying ZIP file attachments containing a Rust-based loader, Windows batch scripts, and a decoy PDF.

    Upon execution:

    • Batch scripts run commands to bypass antivirus defenses.
    • A Glassdoor-themed job application form is displayed to divert attention.
    • The PXA Stealer payload is deployed to begin data exfiltration.

    The attackers also distribute auxiliary tools, such as Hotmail batch creation and email mining utilities. These tools, often shared with their source code, allow recipients to customize them for specific malicious purposes.

    Facebook Account Exploitation

    A standout feature of PXA Stealer is its focus on Facebook business accounts. The malware leverages stolen cookies to authenticate sessions, interact with Facebook Ads Manager, and extract advertising-related details via the Graph API. This aligns with a recurring trend among Vietnamese cyber actors who frequently target social media and advertising platforms.

    Broader Context of Stealer Malware

    The emergence of PXA Stealer coincides with ongoing activity in the stealer malware ecosystem. IBM X-Force recently documented a campaign delivering StrelaStealer across Europe, particularly in Italy, Spain, Germany, and Ukraine. This operation, attributed to the rapidly maturing Hive0145 group, involves phishing emails masquerading as legitimate invoice notifications.

    Additionally, other stealer malware families, such as RECORDSTEALER and Rhadamanthys, continue to evolve despite enforcement efforts to curb their spread. New entrants, like Amnesia Stealer and Glove Stealer, highlight the persistent innovation in this space.

    Glove Stealer, for instance, employs modules to bypass app-bound encryption and disguises itself as a troubleshooting tool, exploiting users’ vulnerabilities during problem-solving attempts.

    Implications and Countermeasures

    This campaign underscores the growing sophistication of information-stealing malware and the persistent threat posed by Vietnamese cybercrime groups. Organizations must remain vigilant, employing robust defenses, educating staff about phishing tactics, and promptly patching vulnerabilities to mitigate such risks.

    Recent Articles

    Related Stories