New Crypto-Stealer ‘Panda’ Spread via Discord

Crypto-Stealer Panda security

PandaStealer is delivered in rigged Excel files masquerading as business quotes, bent on stealing victims’ cryptocurrency and other info.

Yet another new information stealer – Panda Stealer – is being spread through a worldwide spam campaign.

On Tuesday, Trend Micro researchers said that they first spotted the new stealer in April. The most recent wave of the spam campaign has had the biggest impact in Australia, Germany, Japan and the U.S.

The spam emails are masquerading as business-quote requests to lure victims into clicking on booby-trapped Excel files. The researchers found 264 files similar to Panda Stealer on VirusTotal, with some of them being shared by threat actors on Discord.

That’s not surprising, given recent trends: Cisco’s Talos cybersecurity team recently found that threat actors have infiltrated workflow and collaboration tools like Slack and Discord to slip past security and deliver info-stealers, remote-access trojans (RATs) and other malware.

… Or Maybe Collaborating on More of the Same
Then again, threat actors could also be using Discord to share the Panda Stealer build with each other, Trend Micro suggested.

Once Panda gets cozy, it tries to hoover up details such as private keys and past transactions from cryptocurrency wallets, including Bytecoin (BCN), Dash (DASH), Ethereum (ETH) and Litecoin (LTC). Beyond stealing wallets, it can also filch credentials from applications, including NordVPN, Telegram, Discord and Steam. Panda can also take screenshots of the infected computer and swipe data from browsers, including cookies and passwords.

The researchers discovered two ways that the spam infects victims: In one infection chain, an .XLSM attachment contains macros that download a loader, which executes the main stealer. In another infection chain, an .XLS attachment containing an Excel formula triggers a PowerShell command to access, a Pastebin alternative that in turn accesses a second encrypted PowerShell command.

Read more here: