My Account Login

ANY.RUN Shares Research on Zhong Stealer: The New Malware Targeting Fintech and Cryptocurrency

DUBAI, DUBAI, UNITED ARAB EMIRATES, February 18, 2025 /EINPresswire.com/ -- ANY.RUN, the leading provider of interactive malware analysis and threat intelligence solutions, has revealed a new stealer malware exploiting customer support chat systems to infiltrate the fintech and cryptocurrency industries. Zhong Stealer deceives help desk agents by posing as frustrated customers and delivering weaponized attachments designed to steal credentials and exfiltrate sensitive data.

๐™๐ก๐จ๐ง๐  ๐’๐ญ๐ž๐š๐ฅ๐ž๐ซโ€™๐ฌ ๐€๐ญ๐ญ๐š๐œ๐ค ๐’๐ญ๐ซ๐š๐ญ๐ž๐ ๐ฒ: ๐„๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ข๐ง๐  ๐’๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ ๐๐ฅ๐š๐ญ๐Ÿ๐จ๐ซ๐ฆ๐ฌ ๐ญ๐จ ๐ˆ๐ง๐Ÿ๐ข๐ฅ๐ญ๐ซ๐š๐ญ๐ž ๐Ž๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐ฌ

The campaign, active from December 20-24, 2024, leveraged Zendesk and other support platforms, where attackers created fake tickets and pressured agents into opening malicious ZIP files. ANY.RUNโ€™s real-time malware analysis sandbox exposed Zhongโ€™s behavior, revealing its stealthy execution chain, data exfiltration tactics, and C2 infrastructure.

๐€๐๐˜.๐‘๐”๐โ€™๐ฌ ๐€๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐‘๐ž๐ฏ๐ž๐š๐ฅ๐ฌ ๐™๐ก๐จ๐ง๐ โ€™๐ฌ ๐“๐š๐œ๐ญ๐ข๐œ๐ฌ

By running Zhong Stealer inside ANY.RUNโ€™s interactive sandbox, researchers observed:

ยท ๐—ฆ๐—ผ๐—ฐ๐—ถ๐—ฎ๐—น ๐—ฒ๐—ป๐—ด๐—ถ๐—ป๐—ฒ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐—ฎ๐˜€ ๐˜๐—ต๐—ฒ ๐—ฎ๐˜๐˜๐—ฎ๐—ฐ๐—ธ ๐˜ƒ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ - Fake support requests, written in broken Chinese, pressured help desk agents into opening infected attachments.

ยท ๐—”๐—ฑ๐˜ƒ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—ฑ ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ถ๐˜€๐˜๐—ฒ๐—ป๐—ฐ๐—ฒ ๐˜๐—ฒ๐—ฐ๐—ต๐—ป๐—ถ๐—พ๐˜‚๐—ฒ๐˜€ - The malware modified Windows registry keys and leveraged scheduled tasks to maintain long-term access.

ยท ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—ต๐—ฎ๐—ฟ๐˜ƒ๐—ฒ๐˜€๐˜๐—ถ๐—ป๐—ด - Zhong targeted Brave, Edge, and Internet Explorer browsers, stealing saved passwords and user session data.

ยท ๐—›๐—ผ๐—ป๐—ด ๐—ž๐—ผ๐—ป๐—ด-๐—ฏ๐—ฎ๐˜€๐—ฒ๐—ฑ ๐—–๐Ÿฎ ๐—ฐ๐—ผ๐—บ๐—บ๐˜‚๐—ป๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป - Stolen credentials were exfiltrated over port 1131 to a command-and-control server hosted on Alibaba Cloud.

For a more detailed analysis of Zhong Stealer, including technical breakdowns and IOCs, visit the ANY.RUN blog.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐

ANY.RUN is a provider of interactive malware analysis and threat intelligence solutions, allowing cybersecurity professionals to analyze threats in real time, detect malicious activity, and respond proactively. With its cloud-based sandboxing environment, TI Lookup, and Safebrowsing, ANY.RUN delivers deep visibility into malware behavior, threat intelligence, and web-based risks. These tools help organizations track emerging threats, extract indicators of compromise (IOCs), investigate suspicious files and URLs, and enhance their security posture.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
Twitter
LinkedIn

View full experience

Distribution channels: Banking, Finance & Investment Industry, Companies, IT Industry, International Organizations, Technology