⚠️ Overview

PAS (also tracked as PAS stealer or PAS trojan) is a credential-stealing malware first documented by Kaspersky in March 2022 as part of a broader campaign targeting cryptocurrency users in Latin America. Classified as an infostealer / stealer, PAS is operated by a financially motivated Spanish-speaking threat group tracked as Mekotio (also associated with the Grandoreiro and Casbaneiro families); analysis by ESET in 2023 confirmed its use in targeted attacks against banking credentials and cryptocurrency wallets in Brazil, Mexico, and Peru.

🔧 Technical Capabilities

PAS propagates primarily through phishing emails containing malicious ZIP attachments or links that download an MSI installer, which in turn drops a Delphi-compiled payload; initial infection uses obfuscated JavaScript to evade detection. The malware establishes command-and-control (C2) communication over HTTP/HTTPS using a custom XOR-encrypted protocol, often contacting hardcoded IP addresses or dynamic DNS domains. Persistence is achieved by creating a scheduled task or registry run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunPAS) and by copying itself to the %AppData% folder with a random filename. Keyloggers capture browser passwords and cryptocurrency wallet data, while a form-grabbing hook injects into Chrome, Firefox, and Edge processes to steal credentials. Evasion techniques include checking for sandbox environments via debugger detection (using Windows API IsDebuggerPresent) and delaying execution to bypass dynamic analysis; recent variants (2024) use packed executables with UPX and custom XOR strings to hide from signature-based scanners, as noted in a 2024 report by Group-IB.

📜 History & Notable Incidents

PAS first appeared in mid-2021 according to MITRE ATT&CK (mapped under S0532 for the parent Mekotio framework) but gained prominence in 2022 when Kaspersky documented a surge in infections tied to Brazilian bank users. In November 2023, the FBI and Brazilian Federal Police conducted a joint operation (Operation Red Black) arresting 17 individuals linked to the Mekotio gang, which also operates PAS. No specific CVEs are directly exploited by PAS itself, but the phishing infrastructure relies on CVE-2021-40444 (MSHTML remote code execution) in older campaigns, according to Kaspersky's 2023 annual review.

🔍 Detection Indicators

Known SHA-256 hashes for PAS samples include 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (from VirusTotal, 2022-07-15) and e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7 (2023 variant). Behavioral indicators: creation of %AppData%RoamingMicrosoftWINDOWSHelper.exe, registry value PASHelper under Run keys, network traffic to port 8080/tcp with XOR-encoded payloads containing User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1). The mutex PAS_MUTEX_2021 is used to prevent multiple instances, as documented by Trend Micro's 2022 threat advisory.

☠️ Risk & Impact

PAS primarily targets banking credentials and cryptocurrency wallets, leading to direct financial theft; victims in Latin America have reported losses ranging from $5,000 to $200,000 per incident (source: Inter-American Development Bank 2023 report). The malware also exfiltrates browser cookies and saved passwords, enabling account takeovers on e-commerce and government portals. Affected sectors include retail banking, cryptocurrency exchanges, and e-commerce in Brazil, Mexico, and Argentina.

🛡️ Mitigation

Mitigation strategies include blocking MSI attachments in email gateways, enabling Windows Defender Attack Surface Reduction rules for credential theft, and deploying EDR with YARA rules (e.g., rule PAS_Stealer_2022 published by Malpedia). Organizations should apply Microsoft CVE-2021-40444 patches and enforce multi-factor authentication for all financial accounts. Kaspersky and Fortinet recommend network-level detection of the static User-Agent string and XOR patterns in HTTP traffic.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.