New PXA Stealer targets government and education sectors for sensitive information

    Tuesday, November 19, 2024 In: Threat Research Print

    Date: 11/19/2024

    Severity: Medium

    Summary

    A new information-stealing campaign has been discovered, involving a Python-based malware called PXA Stealer, which targets government and education sectors in Europe and Asia. Operated by a Vietnamese-speaking threat actor, PXA Stealer is designed to steal sensitive data, including online account credentials, VPN/FTP client information, financial data, browser cookies, and gaming software details. The malware can also decrypt browser master passwords to harvest stored credentials. The attacker has used advanced obfuscation techniques to evade detection and has been selling stolen credentials and tools on a Telegram channel linked to a known adversary group “CoralRaider”, though their exact affiliation remains unclear.

    Indicators of Compromise (IOC) List 

    URL/Domain

    tvdseo.com

    https://tvdseo.com/file/PXA/PXA_BOT

    https://tvdseo.com/file/PXA/Cookie_Ext.zip

    https://tvdseo.com/file/synaptics.zip

    https://tvdseo.com/file/Adonis/Adonis_Bot0

    https://tvdseo.com/file/STC/STC_PURE.b64

    https://tvdseo.com/file/STC/STC_OTO

    https://tvdseo.com/file/PXA/PXA_PURE_ENC

    https://tvdseo.com/file/Adonis/Adonis_Bot

    https://tvdseo.com/file/Adonis/Adonis_XW_ENC

    https://tvdseo.com/file/STC/STC_PUP

    https://tvdseo.com/file/STC/Cookie_Ext.zip

    https://tvdseo.com/file/Adonis/AdFnis_Bot

    https://tvdseo.com/file/PXA/PXA_PURE_ENC

    https://tvdseo.com/file/STC/STC_XW_ENC

    https://tvdseo.com/file/STC/STC_PURE_ENC

    https://tvdseo.com/file/STC/STC_BOT

    Hash

    e689601d502cc0cd8017f9d6953ce7e201b2dad42f679dc33afa673249ea1aa4

782da8904a729971fab86286dd1f44e8de686b7bc66b855079381e1c9e97f6da

fdad95329954e0085d992cba78188a26abd718797f4a83347ec402f70fe65269

bc15114841e39203b4e0f5d2cdeef11cc4eceba99eb0c3074a1c6d7b3968404a

a9e3f6b9047b5320434bc7b64f4ba6c799d2b6919d41ed32e9815742f3c10194

7db49da15fd159146fe869d049e030a4ecd0d605a762bea4cc4eb702a6ce9ee6

707004559c8d625f2d4b296ede702def1f9f52cadf4c52dadc41f3077531d04f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "tvdseo.com" or url like "tvdseo.com" or userdomainname like "https://tvdseo.com/file/PXA/PXA_BOT" or url like "https://tvdseo.com/file/PXA/PXA_BOT" or userdomainname like "https://tvdseo.com/file/PXA/Cookie_Ext.zip" or url like "https://tvdseo.com/file/PXA/Cookie_Ext.zip" or userdomainname like "https://tvdseo.com/file/synaptics.zip" or url like "https://tvdseo.com/file/synaptics.zip" or userdomainname like "https://tvdseo.com/file/Adonis/Adonis_Bot0" or url like "https://tvdseo.com/file/Adonis/Adonis_Bot0" or userdomainname like "https://tvdseo.com/file/STC/STC_PURE.b64" or url like "https://tvdseo.com/file/STC/STC_PURE.b64" or userdomainname like "https://tvdseo.com/file/STC/STC_OTO" or url like "https://tvdseo.com/file/STC/STC_OTO" or userdomainname like "https://tvdseo.com/file/PXA/PXA_PURE_ENC" or url like "https://tvdseo.com/file/PXA/PXA_PURE_ENC" or userdomainname like "https://tvdseo.com/file/Adonis/Adonis_Bot" or url like "https://tvdseo.com/file/Adonis/Adonis_Bot" or userdomainname like "https://tvdseo.com/file/Adonis/Adonis_XW_ENC" or url like "https://tvdseo.com/file/Adonis/Adonis_XW_ENC" or userdomainname like "https://tvdseo.com/file/STC/STC_PUP" or url like "https://tvdseo.com/file/STC/STC_PUP" or userdomainname like "https://tvdseo.com/file/STC/Cookie_Ext.zip" or url like "https://tvdseo.com/file/STC/Cookie_Ext.zip" or userdomainname like "https://tvdseo.com/file/Adonis/AdFnis_Bot" or url like "https://tvdseo.com/file/Adonis/AdFnis_Bot" or userdomainname like "https://tvdseo.com/file/PXA/PXA_PURE_ENC" or url like "https://tvdseo.com/file/PXA/PXA_PURE_ENC" or userdomainname like "https://tvdseo.com/file/STC/STC_XW_ENC" or url like "https://tvdseo.com/file/STC/STC_XW_ENC" or userdomainname like "https://tvdseo.com/file/STC/STC_PURE_ENC" or url like "https://tvdseo.com/file/STC/STC_PURE_ENC" or userdomainname like "https://tvdseo.com/file/STC/STC_BOT" or url like "https://tvdseo.com/file/STC/STC_BOT"

    Detection Query 2

    sha256hash IN ("e689601d502cc0cd8017f9d6953ce7e201b2dad42f679dc33afa673249ea1aa4","782da8904a729971fab86286dd1f44e8de686b7bc66b855079381e1c9e97f6da","fdad95329954e0085d992cba78188a26abd718797f4a83347ec402f70fe65269","bc15114841e39203b4e0f5d2cdeef11cc4eceba99eb0c3074a1c6d7b3968404a","a9e3f6b9047b5320434bc7b64f4ba6c799d2b6919d41ed32e9815742f3c10194","7db49da15fd159146fe869d049e030a4ecd0d605a762bea4cc4eb702a6ce9ee6","707004559c8d625f2d4b296ede702def1f9f52cadf4c52dadc41f3077531d04f")

    Reference:

    https://blog.talosintelligence.com/new-pxa-stealer/


    Tags

    MalwarePXA StealerGovernment Services and FacilitiesEducationEuropeAsiaCoralRaider

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.