‘Panda Stealer’ Targets Cryptocurrency Wallets

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

The gang behind the malware, dubbed “Panda Stealer,” starts with emails that appear to be business quote requests to entice recipients to open malicious Excel files, Trend Micro says.

Researchers found that the malware, a modification of Collector Stealer, has targeted victims in the United States, Australia, Japan and Germany.

Infection Chains

Trend Micro identified two infection chains. One uses an .XLSM attachment that contains macros that download a loader, which then downloads and executes the main stealer.

The second infection chain method involves an attached .XLS file containing an Excel formula that uses a PowerShell command to access paste.ee, a Pastebin alternative, which accesses a second encrypted PowerShell command.

“Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the loading of a .NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL,” according to the Trend Micro researchers.

Stealing Information

Once it’s installed on a device, Panda Stealer can collect private keys and records of past transactions from victim’s digital currency wallets, including Dash, Bytecoin, Litecoin and Ethereum.

“Not only does it target cryptocurrency wallets, it can steal credentials from other applications, such as NordVPN, Telegram, Discord chat app and Steam,” the researchers note. “It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers, like cookies, passwords and cards.”

After stealing information, the malware stores stolen files in a %TEMP% folder under random file names. The files are…