De Phishing a Exfiltração: Uma Análise Profunda do PXA Stealer

Resumo

O relatório descreve um aumento acentuado na atividade do PXA Stealer, visando organizações financeiras no início de 2026. Agentes de ameaça disseminam arquivos ZIP maliciosos através de e-mails de phishing e dependem de uma cadeia de infecção em várias etapas que abusa de ferramentas legítimas do sistema e de um interpretador Python renomeado. Uma vez ativo, o malware rouba credenciais de navegadores, senhas salvas e dados de carteiras de criptomoedas, em seguida exfiltra as informações coletadas através do Telegram. A campanha destaca como os operadores ajustaram suas técnicas após interrupções anteriores em outros ecossistemas de infostealer.

Investigação

Pesquisadores da CyberProof reconstruíram toda a cadeia de ataque, começando com um e-mail de phishing que entregou um arquivo Pumaproject.zip malicioso e terminando com a exfiltração baseada no Telegram. Sua análise identificou o abuso do Certutil para decodificação, uma cópia do WinRAR disfarçada de picture.png para extração, uma pasta Dots oculta e um interpretador Python svchost.exe renomeado usado para lançar um script ofuscado vinculado a um identificador de bot. A persistência é mantida através de uma entrada de valor no registro.

Mitigação

Os defensores devem identificar anexos de arquivos suspeitos, monitorar a execução de scripts e LOLBins conhecidos de caminhos inesperados e bloquear o tráfego de saída para o Telegram, bem como TLDs incomuns como .shop and .xyz. As equipes de segurança também devem fortalecer os gateways de e-mail e aplicar controles rigorosos de execução para arquivos do Office e conteúdo baseado em script.

Resposta

Quando o PXA Stealer é detectado, isole o host afetado, capture evidências voláteis e procure os artefatos de arquivos referenciados e modificações de registro. Remova arquivos maliciosos, termine processos afetados e redefina quaisquer credenciais expostas. As equipes devem então realizar uma busca mais ampla por indicadores correspondentes em todo o ambiente e notificar as partes interessadas relevantes.

<div class="wp-block-socprime-category-attack-flow attack-flow-class" data-title="Attack Flow" data-attack-flow="graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffeb99 classDef process fill:#ffcc99 classDef persistence fill:#c2f0c2 classDef exfil fill:#f4c2c2 %% Node definitions action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Email with malicious ZIP (Pumaproject.zip) containing Document.docx.exe."] class action_phishing action file_zip["<b>File</b> – Pumaproject.zip<br/><b>Contains</b>: Document.docx.exe"] class file_zip file action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Description: Victim opens the attached executable."] class action_user_exec action process_malicious_exe["<b>Process</b> – Document.docx.exe"] class process_malicious_exe process action_execution_hijack["<b>Action</b> – <b>T1574 Hijack Execution Flow</b><br/>Description: Launches inter.cmd and uses certutil to decode payload from Shodan.pdf."] class action_execution_hijack action process_inter_cmd["<b>Process</b> – inter.cmd"] class process_inter_cmd process tool_certutil["<b>Tool</b> – certutil.exe<br/><b>Purpose</b>: Decode base64 content"] class tool_certutil tool file_shodan_pdf["<b>File</b> – Shodan.pdf<br/><b>Contains</b>: Base64 encoded payload"] class file_shodan_pdf file action_defense_embedded["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>Description: Payload hidden inside PDF file."] class action_defense_embedded action action_decode["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Description: certutil decodes the payload."] class action_decode action action_hidden_dir["<b>Action</b> – <b>T1564.001 Hidden Files and Directories</b><br/>Description: Malware creates hidden folder "Dots" for intermediate files."] class action_hidden_dir action file_hidden_dir["<b>File</b> – Dots (hidden directory)"] class file_hidden_dir file action_relocate["<b>Action</b> – <b>T1070.010 Indicator Removal: Relocate Malware</b><br/>Description: Moves malicious files into hidden "Dots" directory."] class action_relocate action action_compression["<b>Action</b> – <b>T1027.015 Compression</b><br/>Description: WinRAR disguised as picture.png extracts password‑protected archive (password shodan2201)."] class action_compression action tool_winar["<b>Tool</b> – WinRAR (renamed picture.png)"] class tool_winar tool file_archive["<b>File</b> – Password protected archive (shodan2201)"] class file_archive file action_rc_script["<b>Action</b> – <b>T1037.004 RC Scripts</b><br/>Description: Portable Python dropped, renamed to svchost.exe and executed with $BOT_ID argument."] class action_rc_script action process_svc_host["<b>Process</b> – svchost.exe (malicious Python interpreter)"] class process_svc_host process action_active_setup["<b>Action</b> – <b>T1547.014 Active Setup</b><br/>Description: Registry entry added to run svchost.exe at startup."] class action_active_setup action action_com_hijack["<b>Action</b> – <b>T1546.015 COM Hijacking</b><br/>Description: COM hijacking registry entry created for automatic execution."] class action_com_hijack action action_cred_browser["<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Description: Injects into browsers to steal passwords, cookies, crypto wallet data."] class action_cred_browser action action_cred_cookies["<b>Action</b> – <b>T1539 Steal Web Session Cookie</b><br/>Description: Extracts web session cookies for reuse."] class action_cred_cookies action action_keylogging["<b>Action</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Description: Captures keystrokes from the user."] class action_keylogging action action_exfil_telegram["<b>Action</b> – <b>T1567 Exfiltration Over Web Service</b><br/>Description: Sends collected data to attacker‑controlled Telegram channels."] class action_exfil_telegram exfil action_exfil_c2["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b>

graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffeb99 classDef process fill:#ffcc99 classDef persistence fill:#c2f0c2 classDef exfil fill:#f4c2c2 %% Node definitions action_phishing[“<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Email with malicious ZIP (Pumaproject.zip) containing Document.docx.exe.”] class action_phishing action file_zip[“<b>File</b> – Pumaproject.zip<br/><b>Contains</b>: Document.docx.exe”] class file_zip file action_user_exec[“<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Description: Victim opens the attached executable.”] class action_user_exec action process_malicious_exe[“<b>Process</b> – Document.docx.exe”] class process_malicious_exe process action_execution_hijack[“<b>Action</b> – <b>T1574 Hijack Execution Flow</b><br/>Description: Launches inter.cmd and uses certutil to decode payload from Shodan.pdf.”] class action_execution_hijack action process_inter_cmd[“<b>Process</b> – inter.cmd”] class process_inter_cmd process tool_certutil[“<b>Tool</b> – certutil.exe<br/><b>Purpose</b>: Decode base64 content”] class tool_certutil tool file_shodan_pdf[“<b>File</b> – Shodan.pdf<br/><b>Contains</b>: Base64 encoded payload”] class file_shodan_pdf file action_defense_embedded[“<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>Description: Payload hidden inside PDF file.”] class action_defense_embedded action action_decode[“<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Description: certutil decodes the payload.”] class action_decode action action_hidden_dir[“<b>Action</b> – <b>T1564.001 Hidden Files and Directories</b><br/>Description: Malware creates hidden folder “Dots” for intermediate files.”] class action_hidden_dir action file_hidden_dir[“<b>File</b> – Dots (hidden directory)”] class file_hidden_dir file action_relocate[“<b>Action</b> – <b>T1070.010 Indicator Removal: Relocate Malware</b><br/>Description: Moves malicious files into hidden “Dots” directory.”] class action_relocate action action_compression[“<b>Action</b> – <b>T1027.015 Compression</b><br/>Description: WinRAR disguised as picture.png extracts password‑protected archive (password shodan2201).”] class action_compression action tool_winar[“<b>Tool</b> – WinRAR (renamed picture.png)”] class tool_winar tool file_archive[“<b>File</b> – Password protected archive (shodan2201)”] class file_archive file action_rc_script[“<b>Action</b> – <b>T1037.004 RC Scripts</b><br/>Description: Portable Python dropped, renamed to svchost.exe and executed with $BOT_ID argument.”] class action_rc_script action process_svc_host[“<b>Process</b> – svchost.exe (malicious Python interpreter)”] class process_svc_host process action_active_setup[“<b>Action</b> – <b>T1547.014 Active Setup</b><br/>Description: Registry entry added to run svchost.exe at startup.”] class action_active_setup action action_com_hijack[“<b>Action</b> – <b>T1546.015 COM Hijacking</b><br/>Description: COM hijacking registry entry created for automatic execution.”] class action_com_hijack action action_cred_browser[“<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Description: Injects into browsers to steal passwords, cookies, crypto wallet data.”] class action_cred_browser action action_cred_cookies[“<b>Action</b> – <b>T1539 Steal Web Session Cookie</b><br/>Description: Extracts web session cookies for reuse.”] class action_cred_cookies action action_keylogging[“<b>Action</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Description: Captures keystrokes from the user.”] class action_keylogging action action_exfil_telegram[“<b>Action</b> – <b>T1567 Exfiltration Over Web Service</b><br/>Description: Sends collected data to attacker‑controlled Telegram channels.”] class action_exfil_telegram exfil action_exfil_c2[“<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Description: Uses Telegram as C2 and exfiltration channel.”] class action_exfil_c2 exfil %% Connections action_phishing –>|delivers| file_zip file_zip –>|executes| action_user_exec action_user_exec –>|runs| process_malicious_exe process_malicious_exe –>|launches| action_execution_hijack action_execution_hijack –>|spawns| process_inter_cmd process_inter_cmd –>|uses| tool_certutil tool_certutil –>|decodes| file_shodan_pdf file_shodan_pdf –>|contains| action_defense_embedded action_defense_embedded –>|triggers| action_decode action_decode –>|creates| action_hidden_dir action_hidden_dir –>|creates| file_hidden_dir action_hidden_dir –>|stores| action_relocate action_relocate –>|moves files to| file_hidden_dir action_relocate –>|leads to| action_compression action_compression –>|uses| tool_winar tool_winar –>|extracts| file_archive file_archive –>|provides| action_rc_script action_rc_script –>|executes| process_svc_host process_svc_host –>|establishes| action_active_setup process_svc_host –>|establishes| action_com_hijack process_svc_host –>|enables| action_cred_browser process_svc_host –>|enables| action_cred_cookies process_svc_host –>|enables| action_keylogging action_keylogging –>|feeds data to| action_exfil_telegram action_cred_browser –>|feeds data to| action_exfil_telegram action_cred_cookies –>|feeds data to| action_exfil_telegram action_exfil_telegram –>|uses channel| action_exfil_c2

Fluxo de Ataque