Zhong Stealer is a newly identified malware that poses significant threats to the fintech and cryptocurrency sectors. Discovered during a phishing campaign between December 20 and 24, 2024, this sophisticated malware exploits customer support platforms like Zendesk to infiltrate organizations.
Emergence and Tactics
Target Audience
- Primary Targets: The campaign primarily targets fintech and cryptocurrency sectors. The attackers exploit customer support platforms to distribute the malware.
Phishing Techniques
- Fake Support Tickets: Attackers create fraudulent support tickets using newly registered accounts. These tickets contain poorly written messages in Chinese and ZIP file attachments claiming to contain screenshots or additional details.
- Malicious Attachments: The ZIP files, named in Simplified or Traditional Chinese characters, conceal executable (.exe) files that activate the malware when opened.
Infection Chain
Initial Infection
- Compromised Websites: The attack begins with the creation of fraudulent support tickets by attackers using newly registered accounts. These tickets usually contain poorly written messages in Chinese and ZIP file attachments claiming to contain screenshots or details.
- Malicious Executables: Once the ZIP file is opened, the executable inside is launched, initiating the malware infection process.
Persistence Mechanism
- VBScript for Persistence: Zhong Stealer modifies Windows registry keys and schedules tasks via Task Scheduler, allowing it to run at startup even after system reboots.
- Process Hollowing: The malware injects its main payload into a legitimate .NET process, such as “regsvcs.exe,” using a technique called process hollowing. This allows the malware to conceal its presence within a trusted process and sidestep detection.
Keylogger Functionality
Data Collection
- AppleScript and osascript: Zhong Stealer employs AppleScript and osascript to prompt the user to enter their system password, thereby gaining elevated privileges.
- Sensitive Data Harvesting: The malware collects sensitive data, including browser cookies, cryptocurrency-related files, and Apple Notes. While locked notes in Apple Notes are end-to-end encrypted, any unlocked notes or those stored as plain files in the Desktop or Documents folders are vulnerable.
Data Exfiltration
Exfiltration Channels
- Command-and-Control Server: The stolen data is exfiltrated to a command-and-control server hosted in Hong Kong. This server receives the harvested information, allowing the attackers to access and exploit the stolen data.
Indicators of Compromise (IoCs)
- Suspicious Update Prompts: Be wary of unexpected software update prompts, especially if they appear while browsing the web.
- Unusual Network Traffic: Monitor for unusual network traffic involving communication with the command-and-control server.
- Executable Presence: Look out for the presence of executables like the malicious DMG file and scripts associated with Zhong Stealer.
Mitigation Measures
Immediate Actions
- User Awareness and Training: Educate users about the dangers of fake update scams and the importance of verifying the authenticity of software updates.
- Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails with malicious attachments.
- Antivirus and Endpoint Protection: Ensure that antivirus and endpoint protection solutions are up-to-date and capable of detecting and blocking malicious documents and executables.
Long-Term Strategies
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the IT infrastructure.
- Network Segmentation: Implement network segmentation to limit the spread of malware within the network and isolate critical systems.
- Behavioral Analysis: Deploy behavioral analysis tools to monitor for unusual system behavior and network traffic patterns indicative of a compromise.
- Incident Response Planning: Develop and maintain a comprehensive incident response plan to quickly and effectively respond to security incidents. Regularly test and update the plan to ensure readiness.
Final Thoughts
The Zhong Stealer malware campaign highlights the evolving tactics of cybercriminals and the increasing sophistication of phishing schemes. By leveraging fake browser updates and advanced evasion techniques, attackers have successfully deployed a persistent keylogger that captures sensitive information from macOS systems and exfiltrates it to remote servers. It is crucial for individuals and organizations to remain vigilant and implement robust cybersecurity measures to protect against such threats.
