Skip to main content

Panda Stealer Crypto Stealer

Panda Stealer is a backdoor, with command and control (C2) capabilities, which steals cryptocurrency data and VPN credentials.

Threat ID:
CC-3852
Category:
Backdoor
Threat Severity:
Low
Threat Vector:
Phishing
Published:
13 May 2021 11:07 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Panda Stealer is a backdoor, with command and control (C2) capabilities, which steals cryptocurrency data and VPN credentials.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in April 2021, Panda Stealer is a backdoor crypto stealer which is distributed via email phishing campaigns. These global spam campaigns have also been distributed through popular workflow applications including Discord and Slack. Once delivered, it uses C2 to steal cryptocurrency as well as VPN credentials.

Delivery

Panda Stealer is delivered via phishing campaigns which contain Excel files masquerading as business documents. Panda Stealer has also seen to be shared by threat actors on Discord links and on Slack channels. There are two main methods which are distributing the stealer. The first method uses a .XLSM attachment that contains a malicious macro that once opened, downloads a loader which then downloads and executes the main stealer. The second method is a .XLS file containing an Excel formula that utilises a PowerShell command which then downloads a second encrypted PowerShell command from a pastebin website.

Activities

Panda Stealer uses command and control (C2) to facilitate the collection and extraction of data relating to transactions from digital cryptocurrency wallets, including Bytecoin, Dash and Litecoin. Panda Stealer can also steal browser cookies, passwords and VPN credentials. It also takes screenshots of the infected system to learn more about the target system and user.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host Indicators

SHA256 hashes

  • 05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c
  • 0a9f466fb5526fd512dd48c3ba9551dbd342bdb314a87d5c6f730d3c80041da6
  • 1efa74e72060865ff07bda90c4f5d0c470dd20198de7144960c88cef248c4457
  • 4ff1f8a052addbc5a0388dfa7f32cc493d7947c43dc7096baa070bfc4ae0a14e
  • 6413be289cf38c2462bd8c6b8bad47f8d953f399e1ccba30126a1fb70d13a733

Last edited: 13 May 2021 2:14 pm