The attacker, targeting Indian educational institutions and European government organizations, is exploiting vulnerabilities to steal sensitive information like credentials, financial data, and private keys from compromised systems.
By leveraging a Vietnamese SEO service provider’s domain (tvdseo[.]com) to host malicious scripts and the PXA Stealer, they are exfiltrating stolen data to specific Telegram bots and chat IDs.
The Vietnamese attacker, likely affiliated with a cybercrime group, operates on Telegram, selling stolen credentials and promoting malware through a private antivirus checker website, as their activities indicate a sophisticated and organized approach to cybercrime.
The attacker promotes a Telegram channel, “Cú Black Ads – Dropship,” sharing automated tools for managing multiple social media accounts, including Hotmail batch creation and cookie modification tools.
These tools, some requiring activation keys, are distributed via Telegram, websites, and YouTube tutorials, demonstrating organized efforts to market and facilitate their use.
They exploited a phishing email to deliver a malicious Rust loader that, upon execution, dropped and executed obfuscated batch scripts from hidden folders, potentially allowing for further malicious activity on the victim’s system.
CyberChef’s regex filtering revealed obfuscated PowerShell commands within the batch script, which download a malicious Python archive disguised as “synaptics.zip” and extract it to user profiles, then create a persistence mechanism using a base64-encoded PowerShell command in a shortcut file.
The attack leverages a disguised Python executable to download and execute malicious scripts that disable antivirus, download the PXA Stealer, and establish persistence by adding a startup script.
PXA Stealer is a malicious Python program that evades detection, kills security processes, decrypts browser master keys from Chrome and Firefox, and steals sensitive data like passwords and cookies.
It extracts login credentials and cookies from various browsers by targeting specific URLs for important logins, saving them separately. All extracted data, including decrypted passwords, is stored in text files within the user’s temporary directory.
By targeting browser cookies and credit card information, it steals Facebook cookies for ad intel and other browser cookies for separate files. Downloaded JavaScript steals cookies and sends them to the attacker’s Telegram bot; the stealer also extracts and decrypts credit card details from the browser database.
According to Cisco Talos, the PXA Stealer targets sensitive user data by extracting and decrypting autofill form data from various browsers and Discord tokens from browsers and Discord applications.
It also steals user information from the MinSoftware application database, including passwords, two-factor authentication data, email addresses, and cookies.
PXA Stealer exploits Facebook cookies to harvest ad account details, page info, and group admin lists, and then gathers victim data like logins, cookies, and financial info before creating a compressed archive and exfiltrating it via Telegram.
.webp?w=1200&resize=1200,0&ssl=1 "Rekoobe Backdoor May Be Targeting Trading View Users via Open Directories")
