Panda Stealer – Malware
A new type of malware, dubbed ‘Panda Stealer’ by researchers, is spreading through spam emails and malicious Discord links, and has its sights set firmly on your ever valuable cryptocurrency. According to Trend Micro, the phishing emails appear as business quote requests, with an XLSM file attached that’s loaded with malign macros.
Excel File Malware
Panda Stealer appears as a harmless XLSSM file with macros that, when allowed, download a “loader” that runs the main “stealer” programme. Alternatively, an XLS file containing a formula that hides a Powershell command that accesses paste can be downloaded.
To get a new PowerShell instruction, use ee, a Pastebin substitute. Panda Stealer attempts to detect keys, addresses, and other data associated with cryptocurrency transactions and wallets containing funds such as Dash, Bytecoin, Litecoin, and Ethereum once it has been launched.
We are currently unsure whether the most recent cryptocurrency, Chia, is affected. It will also try to steal credentials from NordVPN, Telegram, Discord, and Steam, among other apps. It can take screenshots of the infected device and collect information from browsers such as cookies, passwords, and credit cards.
Clone of Collector Stealer
Panda Stealer appears to be a clone of Collector Stealer, which has a cracked version available for download. Although no specific criminal group has been identified as the source of Panda Stealer, Trend Micro was able to detect an IP address used by the malware for command and control. It resulted in the suspension of a leased Shock Hosting virtual server after it was announced.
2 Approaches the Malware Talks
Panda Stealer’s phishing emails seem to be requests for company quotes. The campaign has been connected to two approaches so far: the first uses attached. Victims must allow malicious macros in XLSM documents.
A loader then downloads and runs the main stealer if macros are allowed.
A is connected to the second chain. An Excel formula in the XLS file hides a PowerShell order. This command tries to access a paste.ee URL in order to download a PowerShell script and then catch a fileless payload.
Discord too Under Attack
However, VirusTotal discovered 264 related files in its database, calling home to 140 C&C servers and more than 10 download pages, including some from Discord, which could be used to spread malware between criminals.