![]() "The VPS may be paid for using cryptocurrency to avoid being traced and uses the online service Cassandra Crypter. "We believe that this address is assigned to a virtual private server rented from Shock Hosting, which the actor infected for testing purposes," the researchers note. Trend Micro researchers identified an IP address that the attackers apparently used. They report that these contain files with names such as "build.exe." indicating that threat actors may be using Discord to share the Panda Stealer build. Some of the download sites were from Discord, researchers say. More than 140 C2 servers and over 10 download sites were used by these samples.” ![]() Another 264 files similar to Panda Stealer were found on VirusTotal. "Another 14 victims were discovered from the logs of one of these servers. "But more domains have been identified with the same login page," the researchers say. Further analysis of the C2 revealed a login page for “Panda Stealer,” Check Point reports. The files are then sent to a command-and-control server. "It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers, like cookies, passwords and cards."Īfter stealing information, the malware stores stolen files in a %TEMP% folder under random file names. "Not only does it target cryptocurrency wallets, it can steal credentials from other applications, such as NordVPN, Telegram, Discord chat app and Steam," the researchers note. Once it's installed on a device, Panda Stealer can collect private keys and records of past transactions from victim’s digital currency wallets, including Dash, Bytecoin, Litecoin and Ethereum. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL," according to the Trend Micro researchers. NET assembly within memory from a paste.ee URL. The CallByName export function in Visual Basic is used to call the loading of a. "Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. XLS file containing an Excel formula that uses a PowerShell command to access paste.ee, a Pastebin alternative, which accesses a second encrypted PowerShell command. The second infection chain method involves an attached. XLSM attachment that contains macros that download a loader, which then downloads and executes the main stealer. Trend Micro identified two infection chains. Researchers found that the malware, a modification of Collector Stealer, has targeted victims in the United States, Australia, Japan and Germany. The gang behind the malware, dubbed "Panda Stealer," starts with emails that appear to be business quote requests to entice recipients to open malicious Excel files, Trend Micro says. See Also: OnDemand | Navigating the Difficulties of Patching OT Researchers at Trend Micro have uncovered a new cryptocurrency stealer variant that uses a fileless approach in its global spam email distribution campaign to evade detection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |