A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer.
The malware “targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software,” Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad said.
“PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts”
The connections to Vietnam stem from the presence of Vietnamese comments and a hard-coded Telegram account named “Lone None” in the stealer program, the latter of which includes an icon of Vietnam’s national flag and a picture of the emblem for Vietnam’s Ministry of Public Security.
Cisco Talos said it observed the attacker selling Facebook and Zalo account credentials, and SIM cards in the Telegram channel “Mua Bán Scan MINI,” which has been previously linked to another threat actor called CoralRaider. Lone None has also been found to be active on another Vietnamese Telegram group operated by CoralRaider called “Cú Black Ads – Dropship.”
That said, it’s currently not clear if these two intrusion sets are related, if they are carrying out their campaigns independently of each other.
“The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool,” the researchers said.
“The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed.”
There is evidence to suggest that such programs are offered for sale via other sites like aehack[.]com that claim to provide free hack and cheat tools. Tutorials for using these tools are shared via YouTube channels, further highlighting that there is a concerted effort to market them.
Attack chains propagating PXA Stealer commence with a phishing email containing a ZIP file attachment, which includes a Rust-based loader and a hidden folder that, in turn, packs in several Windows batch scripts and a decoy PDF file.
The execution of the loader triggers the batch scripts, which are responsible for opening the lure document, a Glassdoor job application form, while also running PowerShell commands to download and run a payload capable of disabling antivirus programs running on the host, followed by deploying the stealer itself.
A noteworthy feature of PXA Stealer is its emphasis on stealing Facebook cookies, using them to authenticate a session and interacting with Facebook Ads Manager and Graph API to gather more details about the account and their associated ad-related information.
The targeting of Facebook business and advertisement accounts has been a recurring pattern among Vietnamese threat actors, and PXA Stealer proves to be no different.
The disclosure comes as IBM X-Force detailed an ongoing campaign since mid-April 2023 that delivers StrelaStealer to victims across Europe, specifically Italy, Spain, Germany, and Ukraine. The activity has been attributed to a “rapidly maturing” initial access broker (IAB) it tracks as Hive0145, which is believed to be the sole operator of the stealer malware.
“The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials,” researchers Golo Mühr, Joe Fasulo, and Charlotte Hammond said. “StrelaStealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird.”
The popularity of stealer malware is evidenced by the continuous evolution of exiting families like RECORDSTEALER (aka RecordBreaker or Raccoon Stealer V2) and Rhadamanthys, and the steady emergence of new ones like Amnesia Stealer and Glove Stealer, despite law enforcement efforts to disrupt them.
“Glove Stealer uses a dedicated supporting module to bypass app-bound encryption by using IElevator service,” Gen Digital researcher Jan Rubín said. “While observed being spread via phishing emails resembling ClickFix, it itself also tries to mimic a fixing tool which users might use during troubleshooting problems they might have encountered.”