11-22-2024
BSV
$68.26
Vol 163.19m
-10.92%
BTC
$99489
Vol 95898.05m
2.46%
BCH
$495.78
Vol 1531.89m
-5.76%
LTC
$89.96
Vol 1213.45m
0.19%
DOGE
$0.39
Vol 9962.15m
2.56%
Getting your Trinity Audio player ready...

There’s a new malware that’s targeting digital currency wallets, spreading through spam emails and Discord channels. The malware, dubbed Panda Stealer, has mostly targeted victims in the U.S., Germany, Japan and Australia.

Security company Trend Micro was the first to detect the malware. In a recent blog post, the Tokyo-based firm revealed that Panda Stealer is delivered through spam emails posing as business quotes to lure unsuspecting victims into opening malicious Excel files.

The malware has two infection chains, the security company revealed. In the first, the criminals attach a .XLSM document that contains malicious macros. Once the victim enables the macros, the malware downloads and executes the main stealer.

In the second infection chain, the spam emails come with a .XLS attachment containing an Excel formula that hides a PowerShell command. This command attempts to access paste.ee, a Pastebin alternative, that in turn accesses a second encrypted PowerShell command. According to Trend Micro, this command is used to access URLs from paste.ee for easy implementation of fileless payloads.

“Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum,” the company noted.

The malware doesn’t limit itself to digital currency wallets, however. It steals credentials to other applications such as Telegram, NordVPN, Discord and Steam. It’s also capable of taking screenshots of the infected computer and capturing and transmitting data from browsers like cookies and passwords.

Trend Micro found another 264 files similar to Panda Stealer on VirusTotal. Over 140 command and control (C&C) servers and over 10 downloaded sites were used by these samples.

It concluded, “Some of the download sites were from Discord, containing files with names such as “build.exe,” which indicates that threat actors may be using Discord to share the Panda Stealer build.”

Security researchers have linked the Panda Stealer malware campaign to an IP address assigned to virtual private servers rented from Shock Hosting. However, the hosting company claimed that the server it had assigned to this particular address has since been suspended.

Panda Stealer is a tweak of Collector Stealer, a malware strain that has been known to go for as little as $12 on underground forums. Also known as DC Stealer, the malware is advertised as a top-end information stealer.

Trend Micro believes Panda Stealer is related to Collector Stealer. The researchers stated, “Cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel. Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”

Recommended for you

David Case gets technical with Bitcoin masterclass coding sessions
Whether you're a coding pro or a novice, David Case's livestream sessions on the X platform are not to be...
November 21, 2024
NY Supreme Court’s ruling saves BTC miner Greenidge from closing
However, the judge also ruled that Greenidge must reapply for the permit and that the Department of Environmental Conservation has...
November 20, 2024
Advertisement
Advertisement
Advertisement