Cisco Talos documented a Vietnamese-speaking threat actor running an information-stealing campaign that uses a Python-based PXA Stealer to harvest browser credentials, cookies, and financial data. The actor hosts malicious tools on tvdseo[.]com and sells credentials and utilities via Telegram channels. #PXA_Stealer #tvdseo
Keypoints
- New information-stealing campaign attributed to a Vietnamese-speaking threat actor using Python malware called PXA Stealer.
- Primary targets are government and educational institutions across Europe and Asia.
- PXA Stealer can decrypt browser master passwords to extract stored credentials, browser cookies, and credit card data.
- Initial access is achieved via phishing emails containing malicious ZIP attachments that deploy batch scripts and PowerShell commands.
- Attacker uses complex obfuscation in batch scripts to evade detection and automated analysis.
- Stolen credentials and tooling are sold through the Telegram channel “Mua Bán Scan MINI,” with data exfiltration handled by Telegram bots.
- Infrastructure includes the domain tvdseo[.]com which hosts malicious payloads and related files (e.g., synaptics.zip, PXA components).
MITRE Techniques
- [T1003] Credential Dumping – PXA Stealer decrypts browser master passwords to access stored credentials (‘PXA Stealer decrypts browser master passwords to access stored credentials’).
- [T1022] Data Encrypted – The malware encrypts sensitive information before exfiltration (‘The malware encrypts sensitive information before exfiltration’).
- [T1071] Command and Control – Utilizes Telegram bots for exfiltrating stolen data (‘Utilizes Telegram bots for exfiltrating stolen data’).
- [T1566] Phishing – Initial access is gained through phishing emails with malicious attachments (‘Initial access is gained through phishing emails with malicious attachments’).
- [T1027] Obfuscated Files or Information – The attacker uses obfuscation techniques in batch scripts to hinder analysis (‘The attacker uses obfuscation techniques in batch scripts’).
- [T1203] Exploitation for Client Execution – The malware exploits vulnerabilities in the victim’s environment to execute malicious payloads (‘The malware exploits vulnerabilities in the victim’s environment to execute malicious payloads’).
Indicators of Compromise
- [domain] Hosting and distribution domain – tvdseo.com
- [Telegram Bot Token] Data exfiltration bots – 7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4, 7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs
- [Telegram Chat ID] Channels/groups used for sales/communication – -1002174636072, -1002150158011, and 3 more IDs
- [url] Malicious payload locations hosted on tvdseo.com – hxxps://tvdseo.com/file/synaptics.zip, hxxps://tvdseo.com/file/PXA/PXA_PURE_ENC, and 2 more URLs
Read more: https://blog.talosintelligence.com/new-pxa-stealer/ – get from article