Panda Stealer Targets Crypto Wallets

A new information stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam.

Panda Stealer uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent Phobos ransomware campaign discovered by Morphisec.

The attack campaign appears to be primarily targeting users in Australia, Germany, Japan, and the United States.

Panda Stealer was discovered by Trend Micro at the start of April. Threat researchers have identified two infection chains being used by the campaign.

They said: “In one, an .XLSM attachment contains macros that download a loader. Then, the loader downloads and executes the main stealer. 

“The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command.”

Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.

Other cards up Panda’s sleeve are the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards.

Researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said that the server assigned to this address has been suspended. 

Panda Stealer was determined to be a variant of Collector Stealer, cracked by Russian threat actor NCP, also known as su1c1de. 

“Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel,” noted researchers.

While the two stealers behave similarly, they have different command and control server URLs, build tags, and execution folders.

CTO Michael Gorelik, who heads the threat intelligence team for Morphisec, has seen the number of infostealers shoot up since the Emotet network was disrupted.

When analyzing the different types of attacks Morphisec detected across seven million enterprise endpoints over the last 12 months, Gorelik found that infostealers made up the highest percentage of attempted endpoint attacks (31%). 

Leave a Reply