Analytics Story: PXA Stealer

Date: 2024-11-18 ID: 66f64651-e4e0-4d3b-8d7d-41d8e598e4e1 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This following analytic story contains detections related to the PXA Stealer, a malicious software tool designed to covertly extract sensitive information from infected systems. This data-stealing malware targets credentials, personal data, browsing information, and financial information by exploiting system vulnerabilities or tricking users into downloading it via phishing campaigns or malicious links. PXA Stealer often operates stealthily, bypassing security measures and transmitting stolen data to cybercriminals. Its capabilities make it a significant threat to individuals and organizations, emphasizing the need for robust cybersecurity defenses and awareness.

Why it matters

The PXA Stealer initiates its attack in disguise, often concealed within phishing emails or dubious downloads. Once executed, it infiltrates the system undetected, harvesting credentials, financial information, and personal files. Its cunning lies in its ability to evade antivirus software and blend into normal processes. However, its subtle movements leave traces. Unusual system slowdowns, unauthorized login attempts, or increased network activity can indicate its presence. To detect and prevent it, maintain updated antivirus software, enable multi-factor authentication, and avoid clicking on suspicious links or attachments. Vigilance and proactive monitoring are key defenses against this silent intruder.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Disable or Modify Tools Via Taskkill Impair Defenses, Disable or Modify Tools Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1