A new information stealer has been discovered that targets cryptocurrency wallets. Read on to know more about it…
A new information stealer has been discovered that targets cryptocurrency wallets and is distributed via spam emails. Panda Stealer is the name of the malware, and it has primarily targeted users in the United States, Germany, Australia, and Japan. The Collector Stealer malware is actually been modified into the Panda Stealer.
The new stealer was discovered in April, according to Trend Micro researchers. The spam campaign’s most recent wave had the greatest effect in Australia, Germany, Japan, and the United States.
Working Mechanism
The Panda Stealer is spreading via spam emails posing as business quote requests in order to trick victims into opening malicious Excel files. The stealer is transmitted by two infection chains. In the next phase, the loader is downloaded and the main stealer is executed.
The second approach includes an attached.XLS file containing an Excel formula that uses a PowerShell command to access a Pastebin alternative, paste[.]ee, which in turn accesses the second encrypted PowerShell command.
The Trend Micro researchers observed that “Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the loading of a .NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL,”
On VirusTotal, researchers discovered 264 files that were identical to Panda Stealer, with some of them being posted on Discord. In addition, to escape detection, the stealer employs the Fair version of the Phobos ransomware’s fileless distribution system.
After the Panda Stealer is deployed, it attempts to steal information such as past transactions and private keys from cryptocurrency wallets such as Bytecoin, Dash, Ethereum, and Litecoin.
It has the ability to steal credentials from applications like NordVPN, Telegram, Steam, and Discord. The Panda Stealer also has the capability to take screenshots of the infected system and steal cookies and passwords from web browsers.
Resemblance of Collector Stealer
The Panda Stealer is actually a revamped version of Collector Stealer (aka DC Stealer) that can be purchased for $12 on underground forums and Telegram. It’s billed as a top-end stealer and features a Russian interface.
NCP (aka su1c1de), a hacker has cracked the Collector Stealer. That stealer and Panda tend to behave similarly, but their C2 URLs, build tags, and execution folders are not the same. Panda Stealer and Collector Stealer often exfiltrate information from a compromised system, such as web data, cookies, and login data, and store it in a SQLite3 database.
Trend Micro reported “Comparing the compiled executables of the cracked Collector Stealer and Panda Stealer shows that the two behave similarly, but have different C2 URLs, build tags, and execution folders,”
“Like Panda Stealer, Collector Stealer exfiltrates information such as cookies, login data, and web data from a compromised computer, storing them in an SQLite3 database. It also covers its tracks by deleting its stolen files and activity logs after its execution.”
According to the researchers, a Collector Stealer builder is freely available online and can be used to build a customized version. The researchers noted that “Threat actors may also augment their malware campaigns with specific features from Collector Stealer. We have also discovered that Panda Stealer has an infection chain that uses the same fileless distribution method as the “Fair” variant of Phobos ransomware to carry out memory-based attacks, making it more difficult for security tools to spot,”
Concluding Words
To make Panda Stealer more powerful, the threat actors added new features to the existing Collector Stealer malware. Which makes it more difficult for organizations to detect and identify malware. Hence, it is recommended that organizations use behavior-based solutions to detect malicious files and spam emails, as well as block malicious URLs.