A new cryptocurrency stealer hijacking victims’ funds and VPN credentials is spread in a global spam campaign. One distribution channel is Discord, Trend Micro researchers said this week.
The malware, dubbed Panda Stealer, has been targeting individuals in various countries including the US, Japan, Australia, and Germany.
Attackers distribute the malware via phishing emails. VirusTotal indicates that executables are hosted on malicious websites and shared via links on Discord. The phishing emails spreading Panda Stealer are disguised as requests for a quote. The threat actor delivers payloads using two methods: in .XLSM documents that require victims to enable malicious macros and .XLS files containing an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL and download a PowerShell script and then get a fileless payload.
“The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL,” Trend Micro says. “The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”
Panda Stealer will listen to detect cryptocurrency wallet keys and addresses. Attackers would steal various crypto funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH).
The malware can also take screenshots, steal information like browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts, and exfiltrate system data.
The examination of the malware’s active command-and-control (C2) servers revealed IP addresses and a virtual private server (VPS) rented from Shock Hosting. The servers have been suspended since the discovery.
Trend Micro researchers could not attribute the campaign to a specific cyberattacker. However, Panda Stealer is a variant of Collector Stealer, sold on underground forums and in Telegram channels. The stealer has been cracked by NCP/su1c1de, a Russian hacker group.
“Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel,” the researchers noted. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”
In addition, Trend Micro researchers noted the similarities in the attack chain and fileless distribution method with Phobos ransomware.