One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8611251 |
| Date de publication | 2024-11-14 18:57:01 (vue: 2024-11-14 19:08:27) |
| Titre | New PXA Stealer targets government and education sectors for sensitive information |
| Texte | #### Targeted Geolocations - India - Denmark - Sweden #### Targeted Industries - Education - Government Agencies & Services ## Snapshot Cisco Talos identified a campaign by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia using a Python program called PXA Stealer. This malware targets a wide range of sensitive data, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. ## Description PXA Stealer can decrypt browser master passwords to steal stored credentials and interacts with Facebook Ads Manager and Graph API to collect Facebook ads account data. The threat actor employs complex obfuscation technique and uses a Telegram bot for data exfiltration. The infection chain starts with a phishing email containing a ZIP file with a malicious loader executable and obfuscated batch scripts. Once executed, these scripts download additional payloads, disable antivirus programs, and establish persistence through registry keys and startup folder scripts. PXA Stealer kills processes related to security software and retrieves a variety of information, including browser login data, cookies, credit card information, and autofill form data. It also extracts and validates Discord tokens and steals user information from the MinSoftware application database. After collecting the targeted data, PXA Stealer compiles it into a ZIP archive named with the victim\'s country code, public IP, and computer name, and exfiltrates it to the attacker\'s Telegram bot. The malware then deletes the folders containing the collected user data to cover its tracks. The attacker\'s infrastructure includes hosting malicious scripts on a domain associated with a Vietnamese SEO service provider and promoting underground activities such as selling accounts, credentials, and money laundering data on Telegram channels. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) f |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 365 365/security/defender 365/security/office about accessed account accounts acquired activities actor additional ads advice: after against age agencies all also antivirus any api app application apps archive are article asia associated attachments attack attacker authentication authenticator auto autofill based batch block blocks bot browser browsers bullet called campaign can card chain channels check cisco classes click clicking clients cloud code collect collected collecting com/azure/active com/en com/intel com/microsoft com/new common compiles complex computer configure containing content cookies copyright country cover coverage credential credentials credit criterion customers data database decrypt defender delete deletes delivered denmark description devices different directory/authentication/concept directory/authentication/how directory/identity disable discord distribution domain download due edge education email emails employs enable enabled encourage endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure entire entities equivalent establish europe even evolving example excluded executable executed execution exfiltrates exfiltration extracts facebook features fido file files filtering financial first folder folders following form from ftp gaming geolocations government graph guidance hello here host hosting hour https://blog https://learn https://security identified identifies identity impact inbound includes including india industries infection infections information infostealer infostealers infrastructure intelligence interacts intrusions its keys kills laundering learndoc learndoc#block learning like links list loader locations login machine mail majority malicious malware management manager many master match meet methods mfa microsoft minsoftware mitigation mitigations mode money more name named new newly not number obfuscated obfuscation ocid=magicti offer office once online other overview part password passwordless passwords payloads permission persistence phishing phones points policies policy polymorphic possible potentially prevalence prevent processes product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 program programs prohibited promoting prompt protection protection/howto protections provider pua public purge pxa python range ransomware rapidly read recheck recommendations recommends reduce reduction refer reference references registry related remove reproduction require requires reserved response retrieves rights rules running safe scam scripts sectors security security/defender security/safe security/zero selling sensitive sent seo service services settings sight site sites smartscreen snapshot software spam speaking specific spoofed starts startup steal stealer stealer/ stealers steals stop stored strictly succeeded such support surface sweden sweeping talos talosintelligence targeted targeting targets technique techniques telegram theft then thereof these threat threats through times tokens tools tracks trusted turn typed underground unknown unless unwanted us/deployedge/microsoft use used user users uses using validates variants variety various victim vietnamese vpn web websites when where which wide windows without written your zip “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-11-15 18:31:22 | (Déjà vu) Babble Babble Babble Babble Babble Babble BabbleLoader (lien direct) | ## Snapshot Researchers from Intezer released a technical analysis on BabbleLoader, an evasive malware loader designed to bypass antivirus and sandbox environments while delivering malicious payloads such as information stealers directly into memory. ## Description It employs several advanced techniques, including junk code insertion, metamorphic transformations, and dynamic API resolution, to evade both traditional and AI-based detection systems. The loader dynamically resolves APIs at runtime and decrypts payloads in memory, avoiding static analysis and signature detection. This malware uses extensive anti-sandboxing measures, such as checking for virtualized environments, analyzing graphics adapter configurations, and counting unique running processes to differentiate real systems from sandboxes. Its junk code overwhelms disassembly tools, creating "noise" that hampers both manual and automated analysis. Each build of BabbleLoader is unique, with randomized metadata, control flows, and encryption keys, making detection and analysis challenging. BabbleLoader has been observed in campaigns targeting a wide audience, from individuals downloading pirated software to professionals in finance and HR, often disguised as legitimate business tools. Additionally, the malware targets both English and Russian speaking victims. In recent samples, it has delivered payloads like the WhiteSnake and Meduza stealers, which communicate with their command-and-control servers via advanced methods, such as leveraging TOR. The loader\'s complexity imposes significant computational costs on AI-driven defenses, effectively weaponizing its obfuscation tactics against security tools. BabbleLoader exemplifies the ongoing arms race between threat actors and cybersecurity vendors, showcasing how malware developers actively adapt to security research to maintain an edge in evasion and persistence. ## Microsoft Analysis and Additional OSINT Context In recent years, Microsoft has tracked the growing risk that [information stealers](https://security.microsoft.com/intel-profiles/byExternalId/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) pose to enterprise security. Information stealers are commodity malware used to steal information from a target device and send it to the threat actor. The popularity of this class of malware led to the emergence of an information stealer ecosystem and a new class of threat actors who leveraged these capabilities to conduct their attacks. Often, infostealers are advertised as a malware as a service (MaaS) offering – a business model where the developers lease the infostealer payload to distributers for a fee. Discovered in 2023, [Meduza Stealer](https://www.uptycs.com/blog/threat-research-report-team/what-is-meduza-stealer-and-how-does-it-work) has gained notoriety as a versatile information stealer with an extensive range of targets, including over 100 web browsers and 107 cryptocurrency wallets. It is capable of harvesting a broad spectrum of data, such as login credentials, browsing history, bookmarks, autocomplete entries, and sensitive information stored in applications. [WhiteSnake Stealer](https://blog.sonicwall.com/en-us/2024/03/whitesnake-stealer-unveiling-the-latest-version-less-obfuscated-more-dangerous/), also first identified in 2023, distinguishes itself not only with its data theft capabilities but also with advanced remote access features. These allow attackers to execute commands for keylogging, taking screenshots, decrypting system data, capturing webcam photos, and even uninstalling the malware itself. Despite its advanced remote access functionalities, it remains highly effective at stealing information, targeting web browser data, cryptocurrency wallets, and email client applications for exfiltration. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check y | Ransomware Spam Malware Tool Threat Technical | ★★★ |