A new malware strain known as Zhong Stealer has been identified as a significant threat to the fintech and cryptocurrency industries. Researchers at Any.run uncovered the Zhong malware during a phishing campaign that occurred between December 20 and 24, 2024. This malware specifically targets customer support platforms like Zendesk to gain unauthorized access to sensitive information within organizations.
The attackers behind Zhong Stealer employ sophisticated social engineering tactics to deceive support agents into downloading malicious files. By posing as customers and creating fake support tickets using newly registered accounts, the attackers lure unsuspecting victims into opening ZIP file attachments that contain malware disguised as screenshots or additional details related to the fake support inquiries. These ZIP files are named in Chinese characters, making them appear legitimate to the recipients.
Once the malicious file is opened, Zhong Stealer connects to a command-and-control server based in Hong Kong and downloads additional components, including a downloader disguised as a BitDefender Security updater. By using a stolen but revoked digital certificate, the malware is able to evade initial detection mechanisms effectively. This deceptive strategy allows Zhong Stealer to establish persistence on compromised systems by modifying Windows registry keys, scheduling tasks via Task Scheduler to run at startup, and disabling security event logging to avoid detection during forensic analysis.
Moreover, Zhong Stealer conducts reconnaissance on infected systems by querying various system properties and scanning browser extensions and saved credentials from popular web browsers like Brave, Edge, and Internet Explorer. Once it collects sensitive data, the malware exfiltrates it to the C2 server through non-standard network ports, complicating detection efforts further.
The emergence of Zhong Stealer underscores the increasing sophistication of cyber threats targeting fintech and cryptocurrency companies. By exploiting vulnerabilities in customer support platforms, attackers can circumvent traditional security measures and access valuable financial and digital assets. To counter such threats effectively, organizations within these sectors should implement proactive cybersecurity measures, including training support teams to recognize phishing attempts, enforcing zero-trust security policies, monitoring network traffic for suspicious activity, and using advanced malware analysis tools like Any.run’s Interactive Sandbox for real-time threat detection.
The incident involving Zhong Stealer serves as a stark reminder of the need for heightened cybersecurity practices within the financial technology and cryptocurrency industries. By combining technical defenses with employee training and awareness, organizations can better protect themselves against evolving malware campaigns and mitigate the risks associated with such sophisticated threats. Vigilance and proactive measures are crucial in safeguarding sensitive information and maintaining the integrity of financial transactions in an increasingly digitized world.