There is a new malware targeting digital wallets that spreads through spam emails and Discord channels. The malware called Panda Stealer has primarily targeted victims in the United States, Germany, Japan and Australia.
The first thing that discovered the malware was the security company Trend Micro. In a recent blog post, the Tokyo-based company revealed that Panda Stealer is being distributed via spam emails masquerading as business quotes in an attempt to trick unsuspecting victims into opening malicious Excel files.
The security company announced that the malware had two chains of infection. In the first, the criminals attach an .XLSM document that contains malicious macros. Once the victim activates the macros, the malware will download the major theft and execute it.
In the second chain of infection, the spam emails are delivered with an .XLS attachment that contains an Excel formula that hides a PowerShell command. This command attempts to access Paste.ee, a Pastebin alternative, which in turn accesses a second encrypted PowerShell command. According to Trend Micro, this command is used to access URLs from paste.ee for easy implementation of fileless payloads.
“Once installed, Panda Stealer can collect details such as private keys and records of past transactions from its victim’s various digital wallets, including Dash, Bytecoin, Litecoin and Ethereum,” the company noted.
However, the malware is not limited to digital wallets. It steals credentials for other applications like Telegram, NordVPN, Discord, and Steam. It is also capable of taking screenshots of the infected computer and capturing and transmitting data from browsers such as cookies and passwords.
Trend Micro found another 264 files on VirusTotal that are similar to Panda Stealer. Over 140 Command and Control (C&C) servers and over 10 downloaded sites were used by these samples.
It concluded, “Some of the download sites were from Discord and had files with names like ‘build.exe,’ which suggests that threat actors could use Discord to share the Panda Stealer build.”
Security researchers have linked the Panda Stealer malware campaign to an IP address assigned to virtual private servers rented from Shock Hosting. However, the hosting company claimed that the server it assigned that particular address has since been banned.
Panda Stealer is an optimization from Collector Stealer, a strain of malware known to sell on underground forums for just $ 12. Also known as the DC Stealer, the malware is advertised as a top notch information theft.
Trend Micro believes that Panda Stealer is related to Collector Stealer. The researchers stated, “Cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel. Threat actors can also supplement their malware campaigns with certain functions of Collector Stealer. “
New to Bitcoin? Check out CoinGeeks Bitcoin for beginners Section, the ultimate resource guide for learning more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.