Panda Stealer Emerges on the Scene, Becoming the Newest Discovered Crypto-Stealer
This past Tuesday, researchers at Trend Micro have reported a new information stealer, named “Panda Spreader,” that is being spread through a worldwide spam campaign. Masquerading as business-quote requests, the emails attempt to lure victims into clicking malware-laced Excel files. Researchers also found over two-hundred files similar to Panda Stealer on VirusTotal, with some being spread by threat actors on Discord.
Once downloaded, Panda Stealer then tries to steal private keys and past transactions from cryptocurrency wallets, including Bytecoin (BCN), Dash (DASH), Ethereum (ETH) and Litecoin (LTC). Beyond stealing wallets, it can also filch credentials from applications, including NordVPN, Telegram, Discord and Steam. Panda Stealer can also take screenshots of the infected computer and swipe data from browsers, including cookies and passwords.
The researchers discovered two ways that the spam infects victims: In one infection chain, an .XLSM attachment contains macros that download a loader, which executes the main stealer. In another infection chain, an .XLS attachment containing an Excel formula triggers a PowerShell command to access paste.ee, a Pastebin alternative that in turn accesses a second encrypted PowerShell command.
Panda Stealer is a tweak of the malware Collector Stealer, also known as DC Stealer, which has been found selling on an underground forum and via Telegram for as little as $12. It is advertised as a “top-end information stealer” and has a Russian interface.
A threat actor called NCP, also known as su1c1de, has cracked Collector Stealer. The cracked stealer and Panda Stealer behave similarly, but they do not share the same command-and-control (C2) URLs, build tags or execution folders. But both exfiltrate information like cookies, login data and web data from a compromised computer, storing them in an SQLite3 database.
The cracked Collector Stealer is freely available online, meaning that it is easy to get it, tweak it and let it run.
Besides cribbing from Collector Stealer, Panda Stealer has borrowed from another piece of malware: Namely, it uses the same fileless distribution method as the “Fair” variant of Phobos ransomware to slip past detection. In other words, it runs in memory after initial infection, instead of storing files on the hard drive. Panda drops files in targeted systems’ Temp folders, storing stolen information under randomized file names. Then, it exfiltrates the stolen data and sends it to a C2 server. When analyzing that C2 server, researchers were led to a login page for “熊猫Stealer,” which translates to “Panda Stealer,” though they found more domains that share that same login page.
Researchers found 14 victims listed on the logs for one of those servers. They also found an IP address that they think the threat actor was using: It was hosted on a virtual private server (VPS) rented from Shock Hosting that had been compromised for testing purposes. After researchers reported their find to Shock Hosting, it suspended the server.