Connect with us

Business

Panda Stealer: Spreading via Spam Emails and Discord

Published

on

A new information stealer has been discovered that is being delivered via spam emails and targets cryptocurrency wallets. This threat is named Panda Stealer and was observed mostly targeting users in the U.S, Germany, Australia, and Japan. The stealer is a modified variant of the Collector Stealer.

What has happened?

According to Trend Micro researchers, the new stealer was discovered in April. The most recent wave of the spam campaign had the biggest impact on Australia, Germany, Japan, and the U.S.

  • The stealer is spreading via spam emails masquerading as business quote requests to fool victims into clicking on malicious Excel files. Two infection chains are spreading the stealer.
  • The first one has an ‘.XLSM’ attachment with malicious macros that download a loader. Next, the loader downloads and executes the main stealer.
  • The second method involves an attached .XLS file with an Excel formula that uses a PowerShell command to access a Pastebin alternative, paste[.]ee, that accesses the second encrypted PowerShell command.

Additional insights

  • Researchers found 264 files similar to Panda Stealer on VirusTotal and some of them were being shared on Discord.
  • In addition, the stealer uses the fileless distribution method of the Fair variant of the Phobos ransomware to avoid detection.

Post-infection activities

Once Panda Stealer is successfully deployed, it tries to steal information such as past transactions from cryptocurrency wallets, including Bytecoin, Dash, Ethereum, and Litecoin, along with private keys.

  • Moreover, it can steal credentials from applications, such as NordVPN, Telegram, Steam, and Discord.
  • It can take screenshots of the infected system and swipe cookies and passwords from browsers.

Similarities with Collector Stealer

Panda Stealer is a modified version of Collector Stealer (aka DC Stealer) that is available on underground forums and Telegram for the price tag of $12. It’s promoted as a top-end stealer and comes with a Russian interface.

  • A threat actor named NCP (aka su1c1de) has cracked Collector Stealer. That stealer and Panda appear to behave similarly, however they don’t share the same C2 URLs, build tags, or execution folders.
  • Moreover, both Panda Stealer and Collector Stealer exfiltrate information such as web data, cookies, and login data from a compromised system and store them in an SQLite3 database.

Conclusion

Cybercriminals modified the existing Collector Stealer malware by adding new features to make Panda Stealer more efficient. This makes it harder for organizations to detect and spot this malware. Therefore, organizations are recommended to use behavior-based solutions that detect malicious files and spam emails and block malicious URLs.

Source: https://cyware.com/news/panda-stealer-spreading-via-spam-emails-and-discord-938b2335

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO