- A new variant of Linux malware offers advanced functionalities and escape mechanisms
- He has already infected thousands of devices around the world
- Passwords, credit card information, and more, at risk
A brand new Linux malware has been found by infecting thousands of computers around the world, stealing people’s connection identification information, payment information and browser cookies, safety researchers are warned.
Sentinellabs and Beazley Security published a joint report detailing the activities of PXA Stealer, a new infosteller based on Python for the Linux platform.
It was spotted for the first time at the end of 2024, and has since transformed a tremendous threat, successfully escaping the defense tools while wreaking havoc around the world.
Lateral loading
Since its creation, PSA Stealer has seen several iterations, with the latest flight information at around 40 browsers – saved passwords, cookies, personally identifiable information (PII), automatic data, authentication tokens, etc.
It may target browser extensions for various cryptographic wallets, including exodus, magic Eden, Crypto.com and many others, and can extract data from sites such as Coinbase, Kraken and Paypal. Finally, it can inject a DLL into the current browser instances to bypass the encryption mechanisms.
PSA Stealer is apparently distributed by phishing emails and malicious destination pages. Malventy attachments contain a legitimate program (such as a PDF reader) and an armed DLL. The program is at the Touche de la DLL, successfully deploying malware without relieving alarms.
More than 4,000 computers have been infected with the PSA thief in 62 countries, said the two companies, suggesting that the campaign is rather successful.
However, the attackers – who seem to be of Vietnamese origin – are not interested in using the stolen data themselves and selling it rather on the black market – in a telegram group.
The majority of victims are located in South Korea, the United States, the Netherlands, Hungary and Austria.
“At the beginning of the end of 2024, this threat has since been silent of a very evasive and multi-stage operation led by Vietnamese actors with apparent links with an organized market based on the cybercriminal telegram which sells stolen victim data,” explained the researchers. Until now, more than 200,000 stolen passwords, as well as hundreds of information on credit cards and more than four million cookies.
Via The register
