A new type of malware – Panda Stealer – is spreading through a spam campaign globally. Trend Micro researchers reported on Tuesday that they first encountered the latest stealer in April. In Australia, Germany, Japan, and the USA, the latest surge of the spam campaign seems to have the greatest effects.
The spam emails hide and click booby-trapped Excel files as nothing more than a business quote application to attract victims. Researchers found 264 Panda Stealer-like files with Virus Total, some of which are exchanged by threat actors operating via Discord.
Given recent developments, this isn’t shocking. The cybersecurity team in Cisco’s Talos noticed recently that some threat actors are using workflow and communication resources such as Slack and Discord to sneak past safety and provide robbers, remote access trojans (RATs), and malware. Now again, the threatening actors may use Discord to share the Panda Stealer.
If Panda becomes confident, it attempts to acquire information like private clues and past crypto-currency wallet activities such as Bytecoin (BCN), Dash (DASH), Ethereum (ETH), and Litecoin (LTC). It may also filter applications such as NordVPN, Telegram, Discord, and Steam in addition to stealing wallets. Panda could also take screenshots and swipe browser info, including cookies and passwords, through infected computers.
The scientists found out two ways in which spam infects victims: An.XLSM attachment contains macros in one infection chain, which installs a loader that executes the criminal. An .XLS attachment including an Excel formula is also used in another infection chain to enable the instruction PowerShell to access paste.ee, a Pastebin alternative which in turn is secondary encryption for PowerShell command.
“The CallByName export function in Visual Basic is used to call a load of a .NET assembly within memory from a paste.ee URL,” Trend Micro says. “The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”
Panda Stealer is a modification to the DC Stealer malware Collector, that has been sold for as little as $12 on a hidden marketplace and via telegraph. It is announced as a “top-end information stealer” and also has a Russian connection. The Collector Stealer was broken by a threat actor, NCP, identified as su1c1de. The cracked stealer as well as the Panda Stealer act likewise but do not share the very same URLs, tags, or execution files.
“Cybercriminal groups and script kiddies alike can use it to create their customized version of the stealer and C2 panel,” Trend Micro researchers said. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.”
Trend Micro says that there are parallels to Phobos Ransomware in the attack chain. In particular, in its distribution method, the Phobos “Fair” version, as defined by Morphisec, is identical and is continuously being revised to cut down on its footprint, for example, to reduce encryption criteria, to remain underneath the radar as long as possible.