Coindesk Logo

'Panda' Malware Targets Crypto Wallets and Users' Discord, Telegram Accounts

'Panda' Malware Targets Crypto Wallets and Users' Discord, Telegram Accounts

'Panda' Malware Targets Crypto Wallets and Users' Discord, Telegram Accounts

The main "new" aspect here is the target of the data theft.

The main "new" aspect here is the target of the data theft.

The main "new" aspect here is the target of the data theft.

AccessTimeIconMay 10, 2021, 10:03 PM
Updated Aug 19, 2021, 9:18 AM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A new ransomware attack is going after cryptocurrency wallets, along with account credentials from other applications such as NordVPN, Telegram, Discord and Steam.

Dubbed “Panda,” the new information-stealing malware (also called infostealer for short) was discovered by Trend Micro, a cybersecurity software company. 

“Crypto wallets are now as big of a target for online theft as banking accounts are,” said the Trend Micro researchers who discovered the attack. “With more people getting into cryptocurrencies and the values of said cryptocurrencies still increasing, this will only become a greater threat moving forward.”

They also said there is more risk here because unlike with a bank robbery or credit card theft, there may not be a central authority that can undo malicious transactions. Once you lose your money and the transaction goes on the blockchain, it's likely gone forever.

The malware attack

At a high level, according to the researchers, the attack begins with spam messages that contain a malicious attachment. The attachment uses PowerShell scripts, a task automation and configuration management coding language Microsoft, to download the actual Panda Stealer malware (in encoded form), which is then loaded without files onto the affected system.

“None of this is particularly novel in and of itself – malicious Office documents are well known, so is fileless loading,” the researchers said. “The main 'new' aspect here is the target of the data theft.”

Beyond just targeting cryptocurrency wallets with malware, attackers are now setting their sights on applications like Discord and Telegram – popular communications platforms for cryptocurrency communities. 

The attack campaign, which was active in April, uses spam emails and the same rare fileless distribution method as a separate recent attack. Morphisec, another cybersecurity firm, discovered a Phobos ransomware campaign in early April that uses an identical fileless distribution method to Panda, making it more difficult for security tools to spot.

"The fileless distribution used in this case means there is no signature for antivirus software to detect the threat, and it can bypass detection,” said Michael Gorelik, chief technology officer and head of threat intelligence at Morphisec. “Therefore, it's dangerous for both consumers' wallets and even enterprises, with more lines of security set up."

Follow best security practices

The Trend Micro researchers said following long-standing security practices still applies here. Not opening up attachments sent via email, making sure you don’t click on unknown links and keeping software upgraded still are basic security measures people can take to avoid malware and other security breaches. 

Specific to cryptocurrencies, they said the best advice is to secure your cryptocurrency wallets. They weren’t able to give specific recommendations given the wide array of wallets on the market, but recommended using strong, unique passwords. 

“If the wallet you're using offers multifactor authentication (and many do – if anything, they may support multiple methods), use them,” the researchers said.  “For investors who are more interested in holding cryptocurrencies for the long term instead of actively trading them, the use of hardware-based/offline wallets may well be safer, if less convenient to add to or sell from.”

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.