Cryptocurrency Stealer Panda Stealer Spreads Malware Through Phishing Emails, Discord Servers

Sophie Webster, Tech Times 05 May 2021, 10:05 am

A new cryptocurrency stealer variant has been discovered, and it is being spread through a global spam campaign and through Discord servers.

Panda Stealer Phishing Email

Named Panda Stealer, researchers from Trend Micro said that the malware has been found targeting people across countries, including Australia, US, Japan, and Germany, according to ZDNet.

The malware starts its infection chain through phishing emails. Samples that are uploaded to VirusTotal also shows that victims have been downloading executables from malicious websites through Discord links.

Panda Stealer's phishing emails pretend to be business quote requests so that users will click them. Two methods have been linked to the campaign: the first one uses attached .XLSM documents that need the victims to enable malicious macros.

Also Read: PayPal to Start Accepting Cryptocurrencies as Payments Moving Forward

If macros are permitted, a loader downloads and executes the main stealer.

Meanwhile, in the second chain, an attached .XLS file has an Excel formula that hides a PowerShell command. The command attempts to access a paste.ee URL to pull a PowerShell script to the system of the victim and to grab a fileless payload.

Trend Micro stated that the CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL.

They added that the loaded assembly, obfuscate with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.

As soon as it's downloaded, Panda Stealer will attempt to detect keys and addresses linked with cryptocurrency wallets holding funds.

Also, the malware is able to take screenshots, exfiltrate the system data, and steal information including browser cookies and credentials for NordVPN, Telegram, Steam accounts, and Discord.

While the campaign has not been attributed to specific cyberattackers. Trend Micro said that an examination of the malware's active command-and-control or C2 servers led the team to IP addresses and a virtual private server or VPS rented from Shock Hosting.

The server has since been suspended.

Panda Stealer malware

Panda Stealer is a variant of Collector Stealer, malware that has been sold in the past on underground forums and through Telegram channels. The stealer has since appeared to have been cracked by Russian threat actors going under the alias NCP/su1c1de.

The cracked malware is the same, but it uses different infrastructure elements like C2 URLs and folders.

The researchers note that because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script composers alike can use it to make their own customized version of the stealer and C2 panel.

Furthermore, the researchers added that threat actors may also augment their malware campaigns with specific features from Collector Stealer.

Trend Micro stated that there are similarities in the attack chain and fileless distribution method to Phobos ransomware.

Specifically, as described by Morphisec, the Fair variant of Phobos is the same in its distribution approach and is being constantly updated to reduce its footprint, like reducing encryption requirements, in order to stay under the radar for as long as possible.

The researchers also noted the similarities between Phobos and LockBit in its blog report published in April 2021.