Follow on X RSS Feed
Malware

Vietnamese Hackers Use Python Based PXA Stealer for Sensitive Data Theft

Cybersec Sentinel

3 min read
Vietnamese Hackers Use Python Based PXA Stealer for Sensitive Data Theft

Threat Group: Vietnamese-speaking threat actors (linked to CoralRaider and Lone None)
Threat Type: Information Stealer
Exploited Vulnerabilities: Targets sensitive data including credentials, VPNs, FTP clients, browser cookies, and gaming platforms
Malware Used: PXA Stealer
Threat Score: High (9.0/10) — Comprehensive data theft capabilities and strong targeting focus on government and educational sectors
Last Threat Observation: November 16, 2024.

Overview

PXA Stealer is a Python-based malware used in sophisticated attacks targeting government and educational institutions across Europe and Asia. This information stealer is capable of decrypting browser master passwords, harvesting sensitive credentials, and leveraging stolen data for malicious purposes such as Facebook Ads manipulation. It utilizes advanced evasion techniques and obfuscation in its scripts to remain undetected.

The malware has been linked to Vietnamese threat actors through embedded comments in Vietnamese, hard-coded Telegram accounts, and thematic tools marketed for social engineering. It is distributed via phishing campaigns and supported by a complex infrastructure hosted on compromised or malicious domains.

Key Details

  • Delivery Method:
    Phishing emails with ZIP file attachments containing a Rust-based loader and decoy PDFs
  • Target:
    Government organizations (e.g., Sweden and Denmark) and educational institutions (e.g., in India)
  • Functions:
    • Credential Theft: Decrypts and extracts credentials stored in browsers, VPNs, and FTP clients
    • Browser Exploitation: Targets cookies, autofill data, and stored credit card information
    • Session Hijacking: Uses Facebook cookies to manipulate Ads Manager and extract business details
    • Cryptocurrency Theft: Accesses wallet details for digital asset theft
    • Advanced Persistence: Deploys obfuscated scripts and registry modifications for persistence
    • Tool Distribution: Sells tools for automated account management and credential theft
  • Obfuscation Techniques:
    • Uses multi-layer obfuscation for scripts, requiring decryption to reveal PowerShell commands
    • Batch scripts obfuscated with random characters and special symbols to evade detection

Attack Vectors

  1. Initial Access:
    Phishing emails containing malicious ZIP files. The ZIP files house a Rust loader executable and obfuscated batch scripts within hidden folders.
  2. Payload Execution:
    When executed, the Rust loader runs batch scripts that disable antivirus software, open decoy PDFs, and download the PXA Stealer payload from domains like tvdseo[.]com.
  3. Data Exfiltration:
    Harvested data, including credentials and session cookies, is compressed into a ZIP file and sent to attacker-controlled Telegram bots.
  4. Persistence Mechanism:
    The malware creates registry entries and deploys shortcut files to ensure it runs on system startup.

Victimology and Targeted Information

PXA Stealer targets a wide range of sensitive information:

  • Credentials: Online accounts, VPNs, FTP clients, chat messengers, and password managers
  • Browser Data: Login credentials, cookies, credit card details, and autofill information
  • Cryptocurrency Wallets: Both desktop and online wallets
  • Gaming Software: Account credentials and session data
  • Social Media Accounts: Facebook cookies for session hijacking and ad account manipulation

Attacker Infrastructure

The attackers utilize a mix of legitimate and compromised infrastructure:

  • Domains: Hosted malicious scripts and payloads on directories like /file/PXA/ on tvdseo[.]com.
  • Telegram Bots: Controlled exfiltration channels using tokens and chat IDs.
  • Underground Markets: Operated Telegram channels like “Mua Bán Scan MINI” and “Cú Black Ads – Dropship” for selling tools and stolen data.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • fdad95329954e0085d992cba78188a26abd718797f4a83347ec402f70fe65269

Domains

  • tvdseo[.]com

URLs

  • hxxps[://]tvdseo[.]com/file/synaptics[.]zip
  • hxxps[://]tvdseo[.]com/file/PXA/PXA_PURE_ENC
  • hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT
  • hxxps[://]tvdseo[.]com/file/Adonis/AdFnis_Bot
  • hxxps[://]tvdseo[.]com/file/PXA/PXA_PURE_ENC
  • hxxps[://]tvdseo[.]com/file/Adonis/Adonis_Bot
  • hxxps[://]tvdseo[.]com/file/Adonis/Adonis_XW_ENC
  • hxxps[://]tvdseo[.]com/file/Adonis/Adonis_Bot0
  • hxxps[://]tvdseo[.]com/file/STC/Cookie_Ext[.]zip
  • hxxps[://]tvdseo[.]com/file/STC/STC_XW_ENC
  • hxxps[://]tvdseo[.]com/file/STC/STC_PURE[.]b64
  • hxxps[://]tvdseo[.]com/file/STC/STC_PUP
  • hxxps[://]tvdseo[.]com/file/STC/STC_OTO
  • hxxps[://]tvdseo[.]com/file/PXA/Cookie_Ext[.]zip
  • hxxps[://]tvdseo[.]com/file/STC/STC_PURE_ENC
  • hxxps[://]tvdseo[.]com/file/STC/STC_BOT
  • hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT
  • 7db49da15fd159146fe869d049e030a4ecd0d605a762bea4cc4eb702a6ce9ee6
  • 707004559c8d625f2d4b296ede702def1f9f52cadf4c52dadc41f3077531d04f
  • bc15114841e39203b4e0f5d2cdeef11cc4eceba99eb0c3074a1c6d7b3968404a
  • a9e3f6b9047b5320434bc7b64f4ba6c799d2b6919d41ed32e9815742f3c10194
  • 782da8904a729971fab86286dd1f44e8de686b7bc66b855079381e1c9e97f6da
  • e689601d502cc0cd8017f9d6953ce7e201b2dad42f679dc33afa673249ea1aa4

Mitigation and Prevention

  1. User Awareness:
    Conduct phishing simulation exercises to educate employees about identifying malicious emails.
  2. Email Filtering:
    Implement solutions to detect and quarantine suspicious attachments.
  3. Antivirus Protection:
    Deploy updated antivirus solutions with behavioral analysis capabilities.
  4. Network Security:
    • Block domains associated with PXA Stealer using DNS filtering.
    • Monitor traffic for communication with Telegram bots.
  5. Endpoint Detection and Response (EDR):
    Detect anomalies in registry changes, script execution, and ZIP extraction activities.
  6. Multi-Factor Authentication (MFA):
    Add an extra security layer to critical accounts, particularly social media and financial platforms.

Conclusion

PXA Stealer exemplifies the growing sophistication of cybercrime operations, blending advanced data theft techniques with comprehensive evasion strategies. Organizations in the public sector and education must adopt proactive cybersecurity measures, ensuring robust endpoint security, user training, and network monitoring. The malware's connections to established cybercrime groups further underline its potential impact on global organizations.

Sources

  1. The Hacker News - "Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia"
  2. Cisco Talos - "New PXA Stealer Targets Government and Education Sectors for Sensitive Information"
  3. Cyber Press- "New PXA Stealer Hits Governments, Steals Sensitive Data"