Security News Hackers Use Phishing ZIP Files to Deploy PXA Stealer Against Financial Firms

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,188
14,807
6,069
Content source
https://cybersecuritynews.com/hackers-use-phishing-zip-files/
The attack starts when a victim is tricked into downloading a ZIP archive named Pumaproject.zip from the domain downloadtheproject[.]xyz.
Click to expand...

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Capture.JPG

Safeweb

safeweb.norton.com safeweb.norton.com
Capture2.JPG

The archive contains a file called Document.docx.exe, designed to look like a harmless Word document.
Click to expand...
Display file properties before exectuion.

When the victim runs it, the malware springs into action, extracting a Python interpreter, several Python libraries, and malicious scripts, while creating a hidden folder called “Dots” to store the remaining attack components.

Inside the “Dots” folder, the attackers store a legitimate WinRar binary renamed as picture.png, alongside an encrypted archive disguised as Shodan.pdf.

Its contents land in C:\Users\Public\WindowsSecure, and the Python interpreter is renamed to svchost.exe to pass as a trusted Windows process.
Click to expand...
Enable "Block use of copied or impersonated system tools" ASR rule to block the Python interpreter.
A heavily obfuscated Python script, disguised as images.png, is then launched with the $BOT_ID argument pointing to “Verymuchxbot.”
Click to expand...
Enable "Block execution of potentially obfuscated scripts" ASR rule; it might help blocking the Python script.

The script hooks into the victim’s browsers to intercept credentials and crypto wallet data during active sessions.

All stolen data is finally sent out over Telegram to attacker-controlled channels.

Outbound connections to top-level domains such as .xyz, .shop, .info, and .net should be blocked.
Click to expand...

cybersecuritynews.com

Hackers Use Phishing ZIP Files to Deploy PXA Stealer Against Financial Firms

PXA Stealer attacks rise, using phishing ZIP downloads to steal data, replacing Lumma and RedLine in global cybercrime campaigns.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
Reactions: Andy Ful, Sampei.Nihira and Captain Awesome
Setting aside the fact that the domain extension looks highly suspicious at first glance, we assume that by now everyone has enabled “always HTTPS” in their browser.
This is an infection that shouldn't even get a chance to start.

P.S.

I removed the link, even though it wasn't clickable.
 
Last edited:
Information for everyone:
The forum section Security News is no place for posting VT links of detection nor detection of various browser extensions or by AVs or certain DNS
In the past, it was okay... for one or two Security News per week but recently it's every day like this thread
The malicious URL or Phishing links shouldn't be visible for security reasons...

The purpose of the forum section Security News is only to inform about latest threats and discussion about that but no testing...
 
  • +Reputation
  • Thanks
Reactions: harlan4096 and Sampei.Nihira
Executive Summary
A surging cybercrime campaign is utilizing phishing emails to deploy PXA Stealer against global financial institutions.

Confirmed Facts
The threat actors utilize ZIP archives downloaded from malicious URLs to execute a multi-stage infection chain that relies on renamed legitimate binaries and the Windows certutil tool to extract an obfuscated Python script.

Assessment
This indicates a high-sophistication evasion strategy designed to blend malicious activity with standard administrative processes, effectively replacing dismantled infostealers like Lumma and RedLine in the cybercrime ecosystem

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1566.002
Phishing: Spearphishing Link

T1036.003
Masquerading: Rename System Utilities

T1140
Deobfuscate/Decode Files or Information (certutil)

T1059
Command and Scripting Interpreter (Python)

T1552.001
Obfuscated Files or Information

T1048
Exfiltration Over Alternative Protocol (Telegram)

CVE Profile
N/A [NVD Score: Unknown]
[CISA KEV Status: Inactive].
The attack heavily relies on social engineering and living-off-the-land binaries (LOLBins) rather than specific vulnerability exploitation.

Telemetry

Hashes
"1f506d0bd3025e133e71071df6a1bc9afb3abe1d32c50546a419685b04bfb40e"

Domains
"downloadtheproject[.]xyz"

File Paths
"C:\Users\Public\WindowsSecure"
"Dots" (hidden folder)

File Names
Pumaproject[.]zip
Document.docx[.]exe
picture[.]png (WinRar)
Shodan[.]pdf (Encrypted archive)
svchost[.]exe (Python interpreter)
images[.]png (Python script)

Bot ID
"Verymuchxbot"

Registry Keys
The structure suggests an automatic startup execution or Run/RunOnce key modification, as the source states it "writes a registry entry to ensure it keeps running", though the exact key is Unknown. File sizes and container types beyond ZIP/RAR are Unknown.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue a high-priority security advisory to HR, Legal, and Finance departments regarding incoming resumes, tax forms, and invoices containing .xyz, .shop, .info, or .net domain links.

DETECT (DE) – Monitoring & Analysis

Command
Hunt for certutil[.]exe execution events targeting .pdf extensions.

Command
Create SIEM alerts for the creation of the hidden folder "Dots" or anomalous binary execution from C:\Users\Public\WindowsSecure.

Command
Monitor for abnormal network connections to the Telegram API originating from standard endpoints.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any host exhibiting the execution of Document.docx[.]exe or a Python process masquerading as svchost[.]exe.

RECOVER (RC) – Restoration & Trust

Command
Validate the removal of all associated registry persistence mechanisms and the C:\Users\Public\WindowsSecure directory before returning the host to production.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Update email gateways to heavily scrutinize or quarantine ZIP/RAR attachments originating from external sources with top-level domains matching the IOCs.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately. (Environmental Reality Check confirms vulnerability as certutil is an enabled default component on Windows Home).

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G), focusing specifically on browser-saved passwords and cryptocurrency wallets, as these are the primary targets of PXA Stealer.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. Specifically, audit the registry for newly added persistence entries, and look for unauthorized folders like "Dots" or C:\Users\Public\WindowsSecure.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Restrict execution of certutil for non-administrative users).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

CyberProof Threat Research

Cybersecurity News Publication
Click to expand...
 
Last edited by a moderator:
  • Like
Reactions: harlan4096

You may also like...