Panda Stealer is After Your Cryptocurrencies – Be Aware

Panda Stealer – Malware

A new type of malware, dubbed ‘Panda Stealer’ by researchers, is spreading through spam emails and malicious Discord links, and has its sights set firmly on your ever valuable cryptocurrency. According to Trend Micro, the phishing emails appear as business quote requests, with an XLSM file attached that’s loaded with malign macros. 

Excel File Malware

Panda Stealer appears as a harmless XLSSM file with macros that, when allowed, download a “loader” that runs the main “stealer” programme. Alternatively, an XLS file containing a formula that hides a Powershell command that accesses paste can be downloaded.

Currencies Effected

To get a new PowerShell instruction, use ee, a Pastebin substitute. Panda Stealer attempts to detect keys, addresses, and other data associated with cryptocurrency transactions and wallets containing funds such as Dash, Bytecoin, Litecoin, and Ethereum once it has been launched.

We are currently unsure whether the most recent cryptocurrency, Chia, is affected. It will also try to steal credentials from NordVPN, Telegram, Discord, and Steam, among other apps. It can take screenshots of the infected device and collect information from browsers such as cookies, passwords, and credit cards.

Panda Stealer Steals cryptocurrencies

Clone of Collector Stealer

Panda Stealer appears to be a clone of Collector Stealer, which has a cracked version available for download. Although no specific criminal group has been identified as the source of Panda Stealer, Trend Micro was able to detect an IP address used by the malware for command and control. It resulted in the suspension of a leased Shock Hosting virtual server after it was announced. 

2 Approaches the Malware Talks

Panda Stealer’s phishing emails seem to be requests for company quotes. The campaign has been connected to two approaches so far: the first uses attached. Victims must allow malicious macros in XLSM documents.

A loader then downloads and runs the main stealer if macros are allowed. 

A is connected to the second chain. An Excel formula in the XLS file hides a PowerShell order. This command tries to access a URL in order to download a PowerShell script and then catch a fileless payload. 

Discord too Under Attack

However, VirusTotal discovered 264 related files in its database, calling home to 140 C&C servers and more than 10 download pages, including some from Discord, which could be used to spread malware between criminals.



Please enter your comment!
Please enter your name here