A new variant of cryptocurrency stealers is being distributed via a global spam campaign and possibly via Discord channels.
Referred to as a Panda Stealer, Trend Micro researcher said this week that the malware has been found targeting individuals in countries such as the US, Australia, Japan, and Germany.
The malware begins its chain of infection through phishing emails, and samples uploaded to VirusTotal also suggest that victims have downloaded executable files from malicious websites through Discord links.
Panda Stealer’s phishing emails pretend to be business inquiries. So far, two methods have been linked to the campaign: The first uses attached .XLSM documents that require victims to enable malicious macros.
If macros are allowed, a loader then downloads and executes the main stealer.
In the second chain, an attached .xls file contains an Excel formula that hides a PowerShell command. This command attempts to access a Paste.ee url to drag a PowerShell script onto the victim’s system and then get a fileless payload.
“The CallByName export function in Visual Basic is used to call the loading of a .NET assembly in memory from a Paste.ee URL,” says Trend Micro. “The loaded assembly, obfuscated with an Agile.NET obfuscator, is hollowing out a legitimate MSBuild.exe process and replacing it with its payload: the hex-encoded Panda Stealer binary from another paste.ee url.”
Once downloaded, Panda Stealer tries to detect keys and addresses associated with cryptocurrency wallets that contain funds, including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data and steal information such as browser cookies and login information for NordVPN, Telegram, Discord and Steam accounts.
Although the campaign was not attributed to any specific cyber attackers, Trend Micro led an investigation into the active command-and-control (C2) servers of the malware that the team had found on IP addresses and a virtual private server (VPS ) led. The server is now blocked.
Panda Stealer is a variant of Collector Stealer, malware that has historically been sold on underground forums and telegram channels. The thief seems to have been since then cracked by Russian threat actors under the pseudonym NCP / su1c1de.
The malware trunk cracked is similar but uses different infrastructure elements such as C2 urls and folders.
“Since the cracked Collector Stealer-Builder is openly accessible online, cybercriminals and script kiddies alike can use it to create their own customized version of the stealer and the C2 panel,” the researchers note. “Threat actors can also supplement their malware campaigns with special Collector Stealer functions.”
According to Trend Micro, there are similarities in the chain of attacks and fileless distribution method with the Phobos ransomware. Specifically, the “fair” variant of Phobos, as described by Morphisec, is similar in its dissemination approach and is constantly updated to reduce its footprint, such as reducing the encryption requirements in order to stay under the radar as long as possible.
The researchers also found correlations between Phobos and LockBit in one Report from April 2021.
Previous and Related Reporting
Do you have a tip? Contact us securely via WhatsApp | Signal at +447 713 025 499 or over there at Keybase: charlie0