Zhong Stealer: The New Malware Targeting Fintech and Cryptocurrency Sectors via Social Engineering

Zhong Stealer is a newly discovered malware targeting the fintech and cryptocurrency industries through deceptive phishing tactics. Delivered via fake customer support requests, the malware steals sensitive credentials and exfiltrates data to a Hong Kong-based C2 server. This article explores its attack methods, persistence techniques, and how organizations can protect against this evolving threat.

  Malware   Feb 24, 2025  Add to Reading List
Zhong Stealer: The New Malware Targeting Fintech and Cryptocurrency Sectors via Social Engineering

Zhong Stealer Malware Targets Fintech and Cryptocurrency Sectors: A Detailed Analysis

A new malware, identified as Zhong Stealer, has emerged as a significant threat targeting the fintech and cryptocurrency industries. This new malware was discovered by ANY.RUN researchers during a targeted phishing campaign conducted between December 20-24, 2024. The campaign exploits customer support platforms like Zendesk to infiltrate organizations by masquerading as frustrated customers, tricking support agents into downloading malicious files.

Exploiting Zendesk: The Attack Unfolds

The attackers launched their campaign by creating fake support tickets using newly registered accounts. The fake tickets contained broken Chinese language and often included ZIP file attachments, which were labeled as containing screenshots or additional details for support agents. These ZIP files concealed executable (.exe) files, which once opened, deployed the Zhong Stealer malware.

The ZIP files, named in Simplified or Traditional Chinese characters, raised red flags due to the presence of executable files, which triggered immediate suspicion. Upon execution, Zhong Stealer connects to a command-and-control (C2) server hosted in Hong Kong, allowing the malware to download further malicious components. One of the files included down.exe, signed with a stolen digital certificate, which masqueraded as a legitimate BitDefender Security updater, helping it evade detection.

Advanced Techniques for Persistence and Exfiltration

Once the malware gains access to the system, it deploys advanced techniques to maintain persistence. Zhong Stealer modifies Windows registry keys and uses Task Scheduler to ensure that it runs every time the system reboots. Furthermore, it disables security event logging, which helps avoid detection during forensic analysis.

Zhong Stealer conducts system reconnaissance, including querying system properties such as language settings, hostnames, and proxy configurations. It then scans for saved credentials and extensions from popular browsers like Brave and Edge/Internet Explorer, which are often targeted for their stored authentication data. The malware then exfiltrates stolen data over non-standard ports, such as port 1131, further complicating detection.

The Evolution of Social Engineering Attacks

The Zhong Stealer campaign underscores the evolving nature of cyber threats, especially those targeting fintech and cryptocurrency firms. By exploiting social engineering tactics through support platforms, attackers bypass traditional security mechanisms, making it easier to steal sensitive data without raising suspicion. The Zhong Stealer malware not only targets personal credentials but also focuses on cryptocurrency wallets and financial transaction details, posing severe risks to organizations in these industries.

Protecting Against Zhong Stealer

To defend against threats like Zhong Stealer, organizations must implement proactive cybersecurity measures. Here's how organizations can better safeguard their systems:

  1. Train support teams: Educate customer support agents to recognize phishing attempts and avoid opening suspicious attachments.
  2. Enforce strict security policies: Implement zero-trust security policies and restrict file execution from unverified sources.
  3. Monitor network traffic: Stay alert for unusual activity, especially outbound connections to non-standard ports.
  4. Utilize malware analysis tools: Make use of advanced malware analysis platforms like ANY.RUN to proactively analyze files and detect threats.

Final Thoughts

The Zhong Stealer incident highlights the growing sophistication of cybercrime and the increasing reliance on social engineering tactics. By exploiting human trust, attackers can bypass traditional defenses and gain access to critical financial and personal information.

For organizations in the fintech and cryptocurrency sectors, adopting proactive cybersecurity measures and utilizing advanced malware analysis tools are essential to prevent future breaches. Only with a combination of technical defenses and employee training can organizations mitigate the risks posed by evolving cyber threats like Zhong Stealer.

About ANY.RUN

ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions. With its cloud-based sandbox environment and various threat intelligence tools, ANY.RUN enables cybersecurity professionals to analyze and detect malicious activity in real-time. Their platform provides deep insights into malware behavior, helping organizations stay ahead of emerging threats.

For more information on Zhong Stealer and proactive defense strategies, visit the ANY.RUN blog.

Click Here to Visit   

Tags