A new information stealer has been discovered that is being delivered via spam emails and targets cryptocurrency wallets. This threat is named Panda Stealer and was observed mostly targeting users in the U.S, Germany, Australia, and Japan. The stealer is a modified variant of the Collector Stealer.

The Spread

  • The stealer is spreading via spam emails masquerading as business quote requests to fool victims into clicking on malicious Excel files. Two infection chains are spreading the stealer.
  • The first one has an ‘.XLSM’ attachment with malicious macros that download a loader. Next, the loader downloads and executes the main stealer.
  • The second method involves an attached .XLS file with an Excel formula that uses a PowerShell command to access a Pastebin alternative, paste[.]ee, that accesses the second encrypted PowerShell command.

Additional insights

  • Researchers found 264 files similar to Panda Stealer on VirusTotal and some of them were being shared on Discord.
  • The stealer uses the fileless distribution method of the Fair variant of the Phobos ransomware to avoid detection.

Post-infection activities

Once Panda Stealer is successfully deployed, it tries to steal information such as past transactions from cryptocurrency wallets, including Bytecoin, Dash, Ethereum, and Litecoin, along with private keys.

  • Moreover, it can steal credentials from applications, such as NordVPN, Telegram, Steam, and Discord.
  • It can take screenshots of the infected system and swipe cookies and passwords from browsers.

Similarities with Collector Stealer

Panda Stealer is a modified version of Collector Stealer (aka DC Stealer) that is available on underground forums and Telegram for the price tag of $12. It’s promoted as a top-end stealer and comes with a Russian interface.

  • A threat actor named NCP (aka su1c1de) has cracked Collector Stealer. That stealer and Panda appear to behave similarly, however they don’t share the same C2 URLs, build tags, or execution folders.
  • Both Panda Stealer and Collector Stealer exfiltrate information such as web data, cookies, and login data from a compromised system and store them in an SQLite3 database.

Final Thoughts

Cybercriminals modified the existing Collector Stealer malware by adding new features to make Panda Stealer more efficient. This makes it harder for organizations to detect and spot this malware. Therefore, organizations are recommended to use behavior-based solutions that detect malicious files and spam emails and block malicious URLs.