Warning: Panda Stealer malware is stealing your cryptocurrency

Panda Stealer was deployed through fake spam emails requesting business quotes to lure inadvertent victims to open malicious Excel files. According to Trend Micro, two infection sequences have been identified: a .XLSM attachment containing macros that download a loader.

Then the downloader and takes the stealing; The second chain of infection involves an attached .XLS file containing an Excel formula that uses a PowerShell command to access paste.ee, a workaround for Pastebin, that accesses an encrypted PowerShell command a second time.

Warning: Panda Stealer malware is stealing your cryptocurrency Picture 1

The .XLSM attachment contains macros that download a downloader.

Warning: Panda Stealer malware is stealing your cryptocurrency Picture 2

The attached .XLS file contains a malicious Excel formula.

Warning: Panda Stealer malware is stealing your cryptocurrency Picture 3

PowerShell script is encrypted and decoded from paste.ee URL.

The malware is an affiliate of Collector Stealer, sold on some private forums and Telegram.

Once installed, Panda Stealer can collect detailed information and records of past transactions from victims' various virtual wallets. In addition, it can steal login information from apps like NordVPN, Telegram, Discord, Steam and others. Not stopping there, it has the ability to take screenshots of the infected computer and retrieve data from browsers such as cookies, passwords and tags.

Trend Micro has identified an IP address they believe hackers used to attack crypto wallets. The IP address assigned to a virtual server (VPS) leased from Shock Hosting. Immediately after being notified, Shock Hosting confirmed that the server assigned with this IP address was suspended.

To help keep your PC and data protected, you should install anti-virus software.

Jessica Tanner

Update 10 May 2021