Notice: amp_is_available was called incorrectly. `amp_is_available()` (or `amp_is_request()`, formerly `is_amp_endpoint()`) was called too early and so it will not work properly. WordPress is currently doing the `pre_get_posts` hook. Calling this function before the `wp` action means it will not have access to `WP_Query` and the queried object to determine if it is an AMP response, thus neither the `amp_skip_post()` filter nor the AMP enabled toggle will be considered. It appears the theme with slug `publisher` is responsible; please contact the author. Please see Debugging in WordPress for more information. (This message was added in version 2.0.0.) in /home/runcloud/webapps/techilive/wp-includes/functions.php on line 5313
Panda Stealer targets cryptocurrency wallets and VPN credentials via malicious XLS attachment - TechiLive.in

Panda Stealer targets cryptocurrency wallets and VPN credentials via malicious XLS attachment

0

This latest attack also steals credentials from Telegram, Discord and Steam, according to a Trend Micro analysis.

Image: iStockPhoto/danijelala

Bad actors put a new twist on an existing piece of malware to steal private keys for cryptocurrency accounts and other account credentials, according to analysis from Trend Micro. The entry point is a spam email that contains a request for a quote for business services and malicious Excel files.

Panda Stealer uses a fileless approach and looks for private keys and records of previous transactions from cryptocurrency wallets including Dash, Bytecoin, Litecoin and Ethereum, according to Trend Micro. The malware also steals credentials from other apps such as NordVPN, Telegram, Discord and Steam. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Trend Micro analysts Monte de Jesus, Fyodor Yarochkin and Paul Pajares explained the latest variant of CollectorStealer in a blog post. The analysts identified two infection chains:

  • An XLSM attachment that contains macros that download a loader, which executes the stealer 
  • An XLS file that contains an Excel formula that uses a PowerShell command to access paste.ee, which access a second encrypted PowerShell command

The analysts describe the attack this way:

“Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”

In addition to stealing data, the malware can take screenshots to capture data from browsers such as cookies, passwords and cards. The Trend Micro analysts report that the U.S., Australia, Japan and Germany were the biggest targets in this recent spam attack.

Trend Micro’s analysis also discovered that Panda Stealer has an infection chain that uses the same fileless distribution method as the “Fair” variant of Phobos ransomware to carry out memory-based attacks. This tactic makes it more difficult for security tools to spot the infection.

Trend Micro reports that Panda Stealer is a variant of Collector Stealer. The two pieces of malware operate similarly but have different command and control URLs, build tags and execution folders. Collector Stealer “covers its tracks by deleting stolen files and activity logs,” according to Trend Micro.

CollectorStealer harvests passwords, cookies, credit card details, .dat and .wallet files from cryptocurrency wallets, Discord and Telegram sessions, Steam files, two-factor authenticator sessions and information from autofill forms and passwords from certain browsers, according to PCRisk. People whose computers are infected with this malware can lose access to bank accounts, social media and email accounts. Bad actors also use this access to spread the malware to other computers. 

Also see

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

Loading...

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Loading...

Read original article here

Denial of responsibility! TechiLive.in is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@techilive.in. The content will be deleted within 24 hours.
Leave a comment