Blog
200,000 passwords, credit card data and more stolen by this dangerous new malware — how to stay safe
Hackers are now using legitimate-looking software and documents to infect unsuspecting users with a new info-stealing malware capable of pilfering your passwords, credit card data and more.
As reported by The Hacker News, this new campaign is believed to be the work of Vietnamese-speaking cybercriminals who have begun deploying the PXA Stealer malware in their attacks.
First discovered by security researchers at Cisco Talos, PXA Stealer is an info-stealing malware written in Python. While it was initially used to target government organizations and businesses in the education sector throughout Europe and Asia, the hackers behind this new campaign have shifted their sights to go after ordinary people in the U.S., South Korea, the Netherlands, Hungary and Austria.
So far, SentinelOne has identified 4,000 unique IP addresses across 62 countries that have been infected by the PXA Stealer. What makes this particular malware campaign so dangerous is that in addition to how it can steal saved passwords, cookies, credit card info and any other autofill data stored in your browser as well as from crypto wallets and popular applications like Discord, the hackers behind it are also using a number of tricks and techniques to avoid detection.
Here’s everything you need to know about this new malware campaign along with some tips and tricks to help you avoid falling victim to it.
Sideloading to avoid detection
In this new wave of attacks, the hackers responsible either tricked potential victims into visiting phishing sites or convinced them to download a ZIP file which, in addition to a signed copy of the free Haihaisoft PDF Reader, also contains a malicious Dynamic link-library or DLL file.
As SentinelOne’s security researchers explain in their report, this malicious DLL file is an essential part of this campaign as it’s what allows the PXA Stealer malware to establish persistence via the Windows Registry on infected systems. However, it’s also used to download additional malicious components like Windows executables that are hosted remotely on file-sharing sites like Dropbox.
Once the PDF reader is installed and launched, this malicious DLL creates a command line script that tells Microsoft’s Edge browser to open a virus-filled PDF file. While the file doesn’t actually open and an error message is displayed, the damage is done.
Besides using a free PDF reader as a lure, the hackers behind this campaign are also using a Microsoft Word 2013 executable to distribute the PXA Stealer malware. This executable looks like your standard Word file and comes attached in emails but when opened, it uses a different malicious DLL file to achieve the same end goal: infecting your PC with info-stealing malware.
To get all of this stolen data off of your computer, the hackers behind this campaign are using Telegram as an exfiltration channel. From there, all of those stolen passwords, credit card data and other sensitive personal information is then sold on the dark web for other cybercriminals to use in their own attacks.
How to stay safe from malware
Everywhere you turn online these days, there seems to be hackers lurking around the corner waiting to infect your devices with malware in order to steal your data.
In this particular campaign, the hackers behind it used either phishing sites or malicious email attachments to trick unsuspecting users. This is why you need to be extra careful when checking your inbox.
Don’t just click on any link you see in an email. Instead, you want to hover your mouse over the link to see where it’s taking you. If you don’t recognize the URL, don’t click on the link. Likewise, when it comes to email attachments, you always want to be wary when an unknown sender attaches a file to an email they’ve sent you. When in doubt, if you don’t recognize the sender, don’t download the attachment even if it appears to be legitimate at first glance.
Given that the PXA Stealer and other malware strains often target the data you’ve stored in your browser, you should avoid keeping sensitive information in it when possible. For instance, instead of having your browser store your saved passwords, you should use one of the best password managers instead. The same thing goes for your credit card details and other sensitive information.
While I would normally recommend keeping your PC protected with the best antivirus software, the hackers behind this campaign used all sorts of clever tricks and techniques to avoid having their malware detected. In this case, it’s up to you to use your best judgement when clicking on links or downloading files online. Still, it never hurts to use a reliable antivirus to keep you protected from other viruses and threats online.
Given that the PXA Stealer was first used to target governments and educational organizations before regular people, I don’t think this is the last we’ve seen of this info-stealing malware yet. Instead, other hackers may try to use this malware strain in future attacks.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
