Panda Stealer targets cryptocurrency wallets and VPN credentials via malicious XLS attachment

This latest attack also steals credentials from Telegram, Discord and Steam, according to a Trend Micro analysis.

concept-of-malware-notification-or-error-red-alert-warning-of-spam-vector-id1142226935.jpg

Image: iStockPhoto/danijelala

Bad actors put a new twist on an existing piece of malware to steal private keys for cryptocurrency accounts and other account credentials, according to analysis from Trend Micro. The entry point is a spam email that contains a request for a quote for business services and malicious Excel files.

Panda Stealer uses a fileless approach and looks for private keys and records of previous transactions from cryptocurrency wallets including Dash, Bytecoin, Litecoin and Ethereum, according to Trend Micro. The malware also steals credentials from other apps such as NordVPN, Telegram, Discord and Steam. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Trend Micro analysts Monte de Jesus, Fyodor Yarochkin and Paul Pajares explained the latest variant of CollectorStealer in a blog post. The analysts identified two infection chains:

  • An XLSM attachment that contains macros that download a loader, which executes the stealer 
  • An XLS file that contains an Excel formula that uses a PowerShell command to access paste.ee, which access a second encrypted PowerShell command

The analysts describe the attack this way:

"Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL."

In addition to stealing data, the malware can take screenshots to capture data from browsers such as cookies, passwords and cards. The Trend Micro analysts report that the U.S., Australia, Japan and Germany were the biggest targets in this recent spam attack.

Morphisec's recent analysis also discovered that Panda Stealer has an infection chain that uses the same fileless distribution method as the "Fair" variant of Phobos ransomware to carry out memory-based attacks. This tactic makes it more difficult for security tools to spot the infection.

Trend Micro reports that Panda Stealer is a variant of Collector Stealer. The two pieces of malware operate similarly but have different command and control URLs, build tags and execution folders. Collector Stealer "covers its tracks by deleting stolen files and activity logs," according to Trend Micro.

CollectorStealer harvests passwords, cookies, credit card details, .dat and .wallet files from cryptocurrency wallets, Discord and Telegram sessions, Steam files, two-factor authenticator sessions and information from autofill forms and passwords from certain browsers, according to PCRisk. People whose computers are infected with this malware can lose access to bank accounts, social media and email accounts. Bad actors also use this access to spread the malware to other computers. 

Also see

By Veronica Combs

Veronica Combs is a senior writer at TechRepublic. For more than 10 years, she has covered technology, healthcare, and business strategy. In addition to her writing and editing expertise, she has managed small and large teams at startups and establis...