HQ/EMEAFind out how we can help your business
Zhone Stealer is a newly emerging malware that poses a massive threat to the financial technology and cryptocurrency industries.
Researchers uncovered the infostealer during a phishing campaign in December last year. Moreover, the malware exploits customer support platforms like Zendesk to infiltrate organisations.
The researchers also noted that the attackers pose as customers, leveraging social engineering tactics to deceive support agents into downloading malicious files.
The Zhone Stealer malware campaign starts by exploiting Zendesk.
The Zhone Stealer attack begins with attackers creating false support tickets with newly registered accounts. These requests sometimes include poorly written Chinese statements and ZIP file attachments promising screenshots or other information.
The ZIP files, named in Simplified or Traditional Chinese characters, contain executable (.exe) files that launch the virus when opened. Once executed, Zhong Stealer links to a Hong Kong-based command-and-control (C2) server.
The malware also uses a stolen but revoked digital certificate, and the virus downloads further components, including a downloader disguised as a valid BitDefender Security updater. This deceptive strategy allows the malware to avoid initial detection mechanisms efficiently.
Zhong Stealer exploits various strategies to establish persistence on infected computers. It updates Windows registry keys and schedules processes with Task Scheduler to ensure they run at startup, even after the machine reboots.
Additionally, it suppresses security event reporting to avoid discovery during forensic investigation.
The malware performs reconnaissance by requesting system information such as language settings, hostnames, and proxy configurations. It also detects browser extensions and saved credentials from popular browsers such as Brave and Edge/Internet Explorer.
Once sensitive data has been gathered, Zhong sends it to its C2 server over non-standard network ports such as port 1131, complicating detection efforts.
The Zhong Stealer campaign demonstrates the increasing sophistication of cyber attacks against finance and cryptocurrency organisations.
By exploiting human vulnerabilities via customer service systems, attackers circumvent established security procedures.
The malware’s ability to harvest credentials and sensitive data significantly threatens enterprises handling financial transactions and digital assets.
The Zhong Stealer incident emphasises the importance of cybersecurity awareness in the finance and cryptocurrency sectors. Combining technical security and personnel training can help organisations reduce the risks posed by emerging malware campaigns such as this one.
