A crypto stealer seems to have spread through a massive spam campaign across several countries, including the United States, Australia, Japan, and Germany. The malware dubbed “Panda Stealer” has been spotted by a cybersecurity company. It is reportedly also distributed on Discord channels.
Malware Can Also Steal Data From Telegram and Discord Apps
According to the report published by Trend Micro, the stealer is a variant of another malware named “Collector Stealer,” which utilizes the same algorithms to bypass most detection tools. The malware is contained within a malicious Excel file in a .xlsm format.
Once the victim executes a series of Powershell scripts in the infected document, Panda Stealer deploys its malicious processes. It collects sensitive crypto-related data, including private keys and records of past transactions performed with wallets from virtual currencies like dash (DASH), litecoin (LTC), ethereum (ETH).
Researchers from Trend Micro provided further technical details on the malware’s similarities with other ones:
Panda Stealer was found to be a variant of Collector Stealer, which has been sold on some underground forums and a Telegram channel. Collector Stealer has since been cracked by a Russian threat actor called NCP, also known as su1c1de. (…) Like Panda Stealer, Collector Stealer exfiltrates information like cookies, login data, and web data from a compromised computer, storing them in an SQLite3 database. It also covers its tracks by deleting its stolen files and activity logs after its execution.
But the stealer is not limited to catching digital asset-related data from victims. In fact, the study revealed that it has the technical capabilities to steal credentials from Telegram, Nordvpn, and Discord, among others.
Moreover, Panda Stealer can take screenshots from the users’ computers and catch encrypted data in browsers, such as credit card information.
Recent Crypto Malware Stealers Spotted
Bitcoin.com News has reported the surge of crypto-malware over the past few months. Recently, a cryptocurrency-related malware program named “Westeal” has been advertised on darknet forums as the “leading way to make money in 2021,” raising alarms among the cybersecurity community.
The system has the resources to steal bitcoin (BTC) and ethereum, but the malicious code works under a subscription model.
Chinese Crypto Exchange Paralyzed After Suffering Serious Cyber Attack
Hotbit is temporarily shutting down following a cyber attack that paralyzed a number of its central services.
In a statement, the Chinese crypto exchange reveals that it suffered a security breach at about 8 PM UTC (1 PM PST) on Friday. The hackers also attempted to hack into Hotbit’s wallets, but the attack was identified and stopped by the platform’s risk control system.
Hotbit says it is suspending all its services to conduct an investigation. It is also completely rebuilding its entire suite of servers to ensure heightened security.
“The attacker maliciously deleted the user database after failing to obtain assets. Although the database is routinely backed up, we are still uncertain whether the attacker has polluted data or not before the attack. Therefore, we also need to conduct a comprehensive inspection of the overall data. Once any anomaly is detected, we will perform an accurate reconstruction to ensure that all user data is accurate.”
The exchange assures its nearly two million users that their assets, passwords, and two-factor identifications (2FAs) are safe. Still, it warns that the hackers have control over the database and may send fake communication purporting to be from the Hotbit team. It also admits that the attackers may leak compromised phone numbers, email addresses and other user data.
The crypto exchange expects the maintenance to last between seven and 14 days. Hotbit says it will take full responsibility for losses on leveraged exchange-traded funds (ETF) during the period. To avoid trading losses, it is also canceling all open orders until the system is restored.
As for the daily routine income distributions, such as investment products, the firm says the payouts will occur after the maintenance is completed.