Bitcoin Forum
November 13, 2024, 05:40:29 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: {Warning}: New Panda Stealer Targets Cryptocurrency Wallets  (Read 233 times)
Baofeng (OP)
Legendary
*
Offline Offline

Activity: 2772
Merit: 1681



View Profile
May 05, 2021, 09:57:13 PM
Merited by pooya87 (2), Daniel91 (2), Yaunfitda (2), btc_angela (2), DdmrDdmr (2), cryptomaniac_xxx (2), vapourminer (1), Jating (1), tranthidung (1), cheezcarls (1), Dave1 (1)
 #1

A new malware was recently discovered last month and being called "Panda Stealer". And mostly they are spread across United States, Australia, Japan and Germany.

Mode of infection

1. Spam email pretending to be a business quote request. And it has an XLS attachment, obviously, it has a malicious content



2. Another attachment, but this time the XLS contained an Excel formula that utilizes a PowerShell command



Cryptocurrencies being targeted and others:

Quote
Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, it can steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards.

https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html

So again, be careful even if you are not living on those countries that has been mentioned as the main target for now. The malware might not target bitcoin for now, but for sure this cyber actors are going to evolved. So don't open any attachment specially coming from unknown source.

 
 RAZED  
███████▄▄▄████▄▄▄▄
████▄███████████████
██▄██████▀▀████▀▀█████▄
████
██████████████
▄████████▄████████████▄
████████▀███████████▄
██████████████▐█▄█▀████████
▀████████████▌▐█▀██████████
▀███████████▌▀████████████
█████████▄▄▄
█████▄▄██████
████████████████████████
█████▀█████████████████▀
██████████████
▄▄███████▄▄
▄███████████████
▄███████████████████▄
█████████████████████▄
▄███████████████████████▄
████████████████████████
█████████████████████████
██████████████████████
▀█████
█████████████████▀
▀█
████████████████████▀
▀█████
█████████████
▀███████████████▀
█████████
 
RAZED ORIGINALS
SLOTS & LIVE CASINO
SPORTSBOOK
|
 NO 
KYC
 
 RAZE THE LIMITS   PLAY NOW 
Charles-Tim
Legendary
*
Offline Offline

Activity: 1722
Merit: 5211


Leading Crypto Sports Betting & Casino Platform


View Profile
May 05, 2021, 10:16:11 PM
 #2

Not even an email but spam email, that means some people will still go ahead checking spam messages when not authorized to receive an email message. To be on the safe side, it is better to even see many email messages included as spam messages because there are some that can lead to phishing attempts or contain malacious links just like you mentioned. I only click on links that I authorized for because I do not trust any other link. People can be so ridiculous, because of ignorance and greed.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Dave1
Hero Member
*****
Offline Offline

Activity: 1484
Merit: 553



View Profile
May 06, 2021, 03:14:36 AM
Merited by vapourminer (1), cryptomaniac_xxx (1)
 #3

Not even an email but spam email, that means some people will still go ahead checking spam messages when not authorized to receive an email message. To be on the safe side, it is better to even see many email messages included as spam messages because there are some that can lead to phishing attempts or contain malacious links just like you mentioned. I only click on links that I authorized for because I do not trust any other link. People can be so ridiculous, because of ignorance and greed.

Or better yet have a practice to separate our crypto related emails, and other personal emails or throw away emails. So that when we received an email to our crypto related account, that is a red flag already and should be deleted at once.

And there could be people who can fall for this trick, maybe some will open and then they become the next victim here.

 
█▄
R


▀▀██████▄▄
████████████████
▀█████▀▀▀█████
████████▌███▐████
▄█████▄▄▄█████
████████████████
▄▄██████▀▀
LLBIT▀█ 
  TH#1 SOLANA CASINO  
████████████▄
▀▀██████▀▀███
██▄▄▀▀▄▄████
████████████
██████████
███▀████████
▄▄█████████
████████████
████████████
████████████
████████████
█████████████
████████████▀
████████████▄
▀▀▀▀▀▀▀██████
████████████
███████████
██▄█████████
████▄███████
████████████
█░▀▀████████
▀▀██████████
█████▄█████
████▀▄▀████
▄▄▄▄▄▄▄██████
████████████▀
........5,000+........
GAMES
 
......INSTANT......
WITHDRAWALS
..........HUGE..........
REWARDS
 
............VIP............
PROGRAM
 .
   PLAY NOW    
Charles-Tim
Legendary
*
Offline Offline

Activity: 1722
Merit: 5211


Leading Crypto Sports Betting & Casino Platform


View Profile
May 06, 2021, 05:11:58 AM
 #4

Or better yet have a practice to separate our crypto related emails, and other personal emails or throw away emails. So that when we received an email to our crypto related account, that is a red flag already and should be deleted at once.
You are right, but not only crypto users can receive phishing email messages, it can happen to any other email accounts, users data on online platforms can be breached at anytime by hackers which is frequent these days,. Also some people like giving their emails to online platforms in which not even caring knowing if their data are protected or not. For maximum protection against such phishing attack, we need to limit the information we share online and yet not clicking on links on email messages we do not authorized for, but as for me, I do not even open such email message at all.


And there could be people who can fall for this trick, maybe some will open and then they become the next victim here.
Yes, some people can fall for this type of online attack, that is why it is good to only click on email messages you authorized for. We all at one point in time gave out email for certain reasons online, data breach can be from anywhere.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11031


Crypto Swap Exchange


View Profile
May 06, 2021, 05:41:43 AM
 #5

Am I understanding this correctly that the Email itself doesn't contain the malware but a command that when executed through Excel(?) downloads the actual malware from the internet (paste.ee?), right?
In that case wouldn't this be mitigated by your firewall blocking the Excel access to the internet altogether and by default?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DdmrDdmr
Legendary
*
Offline Offline

Activity: 2492
Merit: 11050


There are lies, damned lies and statistics. MTwain


View Profile WWW
May 06, 2021, 06:41:16 AM
 #6

When it talks about two infection chains, I figure it means that it has two alternative deployment methods, one based on an xlsm and the other on an xls (like an A/B test to see which gets better results, or simply a way to diversify the attack).

If either case, the usual should apply, which is don’t fall for the call to action to open the attached email file (xls or xlsm). It doesn’t specify here what the call to action message is, except for the fact that it’s business related (i.e. "Please verify your invoice in the attached file" or so).

This particular malware targets crypto related stuff, which is likely going to be a trend as more people get into the game over time.
DigitalFox
Member
**
Offline Offline

Activity: 280
Merit: 28


View Profile
May 06, 2021, 09:31:30 AM
 #7

For ages this warning exists and is being repeated by literally everyone: don't open attachments or click on links in emails, especially emails from unknown sources. I thought by 2021 every internet user would know that but no, there are still people out there who fall for it.

Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6151


Crypto Swap Exchange🈺


View Profile WWW
May 06, 2021, 10:51:38 AM
Merited by pooya87 (1)
 #8

In that case wouldn't this be mitigated by your firewall blocking the Excel access to the internet altogether and by default?

Most people don't even have an antivirus program, and a firewall is something that the average Joe finds even harder to understand. I know the W10 has its own firewall that is turned on by default, but I'm not sure how well, or badly it does its job. When it comes to educating young people about computer security, I think we are generally in a very bad position - how else to explain so many online scams that have increased even more thanks to the pandemic.

I found an interesting example from Singapore that shows the scale of such activities, so while it’s not solely about whether someone has an AV or a firewall, it still clearly shows that people still can’t distinguish good from bad.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
cheezcarls
Hero Member
*****
Offline Offline

Activity: 2282
Merit: 659

Looking for gigs


View Profile
May 06, 2021, 11:49:45 AM
 #9

A new malware was recently discovered last month and being called "Panda Stealer". And mostly they are spread across United States, Australia, Japan and Germany.

Mode of infection

1. Spam email pretending to be a business quote request. And it has an XLS attachment, obviously, it has a malicious content



2. Another attachment, but this time the XLS contained an Excel formula that utilizes a PowerShell command



Cryptocurrencies being targeted and others:

Quote
Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, it can steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards.

https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html

So again, be careful even if you are not living on those countries that has been mentioned as the main target for now. The malware might not target bitcoin for now, but for sure this cyber actors are going to evolved. So don't open any attachment specially coming from unknown source.

Now this is really scary and thank you for the heads up. These hackers are trying to be one step ahead of the security measures like what happened in the previous exchange hacking incidents on Binance, etc. So they’ve created this malware and target emails involved in crypto.

And yes, it’s better to have a separate email only for cryptos, and it’s not good to store our private keys or seed phrases there because of this new malware being spread. It could happen in other countries soon. Will tell my crypto friends about this.
Synerggy
Member
**
Offline Offline

Activity: 248
Merit: 13

Futiracoin.com


View Profile
May 06, 2021, 12:40:57 PM
 #10

This is why I don't bother opening any mail that I'm not expecting, the only way for this to become active on your PC is clicking which is a bait, OP how about mobile? Can this ticking timebomb mails affect smartphones as well?

●          ◯        Futira Coin        ◯          ●
████ ███ ██ █        First Crypto-Enabled Telecommunication Network       █ ██ ███ ████
Facebook     |     Twitter     |     Telegram     |     LinkedIn     |     Github     |     Discord
Kemarit
Legendary
*
Offline Offline

Activity: 3262
Merit: 1386



View Profile
May 07, 2021, 12:46:37 AM
Merited by Baofeng (1)
 #11

This is why I don't bother opening any mail that I'm not expecting, the only way for this to become active on your PC is clicking which is a bait, OP how about mobile? Can this ticking timebomb mails affect smartphones as well?

I've read the attach article, and I can't find anything mentioning about mobile or smartphones.

However, I wouldn't just be relax here, sooner or later this thread actors will evolved and might create a iteration of the said malware that will target mobile phones too. We all know that they are looking for every opportunity in crypto space because of the potential to hit one victim with crypto's worth millions of dollars.

████████▄▄▄▄▄▄▀▀▀▀▀▀▄
███▄▀▀▀▀▀███████████
███▐▌████████████▀█▀▐▌
███▐▌███▄█▀█████████████████▄▄▄▄
▄▀█████▐█████████▄▄▄▐█▌▄█▌██▀▀
██████▐███▐██▌▄█▀▀▀▐█████▀███▄
▐█
██▐▌██▐████▌█▌█▌███▐█▌█▄▄▄▄██
▐██
▐▌██▐█▌▐█▀█▌▀█▄▄█▐███▀▀▀▀▀▀
████████▐█▌█▌▀▀▀██▀▀████▄▌████▄
███▄███▌▐████▄██▌█▌██▐████▌█▌▄█▀
██▐█▄▄▄▄██████████▌██▐████▌█▌▐██
███▀███▀▀████▌█████▄▄▐█▄▄█▌██▀▀
████████████▀███▌▀▀▀▀██▀▀

 ......NO FEES ON BITCOIN WITHDRAWALS...... 

▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄█████████████████████▄
▄███████████████████████▄
█████████████████████████
████████████████████████
█████████████████████████
▀██████████████████████▀
▀█████████████████████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀

▀███████████▀
[
[
RELOAD
BONUS
 

RAKEBACK
BONUS
]
]
[
[
FREE
COINS
 

VIP
REWARDS
]
]
 
........► Play Now .... 
cabron
Hero Member
*****
Offline Offline

Activity: 3010
Merit: 613


https://www.betcoin.ag


View Profile WWW
May 07, 2021, 12:57:36 AM
 #12


Yep spam emails are still being checked by users, you got to be the most naive to really install something that is just attached to an email you found in your inbox. This stealer must have been very zealous to have sent to thousands of email addresses and only get one.

This is why I don't bother opening any mail that I'm not expecting, the only way for this to become active on your PC is clicking which is a bait, OP how about mobile? Can this ticking timebomb mails affect smartphones as well?

I've read the attach article, and I can't find anything mentioning about mobile or smartphones.

However, I wouldn't just be relax here, sooner or later this thread actors will evolved and might create a iteration of the said malware that will target mobile phones too. We all know that they are looking for every opportunity in crypto space because of the potential to hit one victim with crypto's worth millions of dollars.

Sometimes it could go listed on Appstore but there's got to have some reason why someone would install it on their phone.


jossiel
Hero Member
*****
Offline Offline

Activity: 3164
Merit: 636


DGbet.fun - Crypto Sportsbook


View Profile
May 07, 2021, 03:57:29 PM
 #13

Sometimes being lazy of opening unsolicited emails are helpful to us. If you don't know the source of an email, you better not open it.

And those attachments that are included on those emails, if you don't trust them, never bother yourself to click it.

Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6151


Crypto Swap Exchange🈺


View Profile WWW
May 09, 2021, 02:06:59 PM
 #14

Sometimes being lazy of opening unsolicited emails are helpful to us. If you don't know the source of an email, you better not open it.

Nothing bad will happen if we open any e-mail we receive, this in itself is not a danger because as far as I know it still takes a little more than just opening an e-mail for something bad to happen. It’s important not to download any attachments that come in such emails, but as they say “curiosity killed a cat”, and people who are curious (and careless) often fall into the trap.

What I would especially like to point out is that you should beware of e-mails that only seemingly come from people you know, because someone can target you specifically - so a legitimate e-mail can be melissa23@xxx.com, and the hacker is sending from melisa23@xxx.com a message with content that says "look at my latest holiday pictures" just click on attachments.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
jossiel
Hero Member
*****
Offline Offline

Activity: 3164
Merit: 636


DGbet.fun - Crypto Sportsbook


View Profile
May 09, 2021, 11:04:16 PM
 #15

Sometimes being lazy of opening unsolicited emails are helpful to us. If you don't know the source of an email, you better not open it.

Nothing bad will happen if we open any e-mail we receive, this in itself is not a danger because as far as I know it still takes a little more than just opening an e-mail for something bad to happen. It’s important not to download any attachments that come in such emails, but as they say “curiosity killed a cat”, and people who are curious (and careless) often fall into the trap.

What I would especially like to point out is that you should beware of e-mails that only seemingly come from people you know, because someone can target you specifically - so a legitimate e-mail can be melissa23@xxx.com, and the hacker is sending from melisa23@xxx.com a message with content that says "look at my latest holiday pictures" just click on attachments.
You're right. There's no danger in opening it but with the example, you've given, that's making a person put him near to the danger that email has attached.

It is okay to be curious but when it comes to attachments, the danger starts especially if the link goes with those informal set of links that they're including and sometimes in file formats that will hit the receiver's curiosity.

But for those that are wanting to avoid them fully and don't want to hit their curiosity, ignoring and deleting them quickly would be the best measure.

libert19
Hero Member
*****
Offline Offline

Activity: 2688
Merit: 972


View Profile WWW
May 10, 2021, 02:58:29 AM
 #16

Thumb of rule for these type of attacks is to ignore every email with attachment unless you expected it.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!