ANY.RUN Shares Research on Zhong Stealer: The New Malware Targeting Fintech and Cryptocurrency

DUBAI, DUBAI, UNITED ARAB EMIRATES, February 18, 2025 /EINPresswire.com/ -- ANY.RUN, the leading provider of interactive malware analysis and threat intelligence solutions, has revealed a new stealer malware exploiting customer support chat systems to

infiltrate the fintech and cryptocurrency industries. Zhong Stealer deceives help desk agents by posing as frustrated customers and delivering weaponized attachments designed to steal credentials and exfiltrate sensitive data.

𝐙𝐡𝐨𝐧𝐠 𝐒𝐭𝐞𝐚𝐥𝐞𝐫’𝐬 𝐀𝐭𝐭𝐚𝐜𝐤 𝐒𝐭𝐫𝐚𝐭𝐞𝐠𝐲: 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐢𝐧𝐠 𝐒𝐮𝐩𝐩𝐨𝐫𝐭 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦𝐬 𝐭𝐨 𝐈𝐧𝐟𝐢𝐥𝐭𝐫𝐚𝐭𝐞 𝐎𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬

The campaign, active from December 20-24, 2024, leveraged Zendesk and other support platforms, where attackers created fake tickets and pressured agents into opening malicious ZIP files. ANY.RUN’s real-time malware analysis sandbox exposed Zhong’s behavior, revealing its stealthy execution chain, data exfiltration tactics, and C2 infrastructure.

𝐀𝐍𝐘.𝐑𝐔𝐍’𝐬 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐑𝐞𝐯𝐞𝐚𝐥𝐬 𝐙𝐡𝐨𝐧𝐠’𝐬 𝐓𝐚𝐜𝐭𝐢𝐜𝐬

By running Zhong Stealer inside ANY.RUN’s interactive sandbox, researchers observed:

· 𝗦𝗼𝗰𝗶𝗮𝗹 𝗲𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴 𝗮𝘀 𝘁𝗵𝗲 𝗮𝘁𝘁𝗮𝗰𝗸 𝘃𝗲𝗰𝘁𝗼𝗿 - Fake support requests, written in broken Chinese, pressured help desk agents into opening infected attachments.

· 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗽𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 - The malware modified Windows registry keys and leveraged scheduled tasks to maintain long-term access.

· 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗵𝗮𝗿𝘃𝗲𝘀𝘁𝗶𝗻𝗴 - Zhong targeted Brave, Edge, and Internet Explorer browsers, stealing saved passwords and user session data.

· 𝗛𝗼𝗻𝗴 𝗞𝗼𝗻𝗴-𝗯𝗮𝘀𝗲𝗱 𝗖𝟮 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 - Stolen credentials were exfiltrated over port 1131 to a command-and-control server hosted on Alibaba Cloud.

For a more detailed analysis of Zhong Stealer, including technical breakdowns and IOCs, visit the ANY.RUN blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN is a provider of interactive malware analysis and threat intelligence solutions, allowing cybersecurity professionals to analyze threats in real time, detect malicious activity, and respond proactively. With its cloud-based sandboxing environment, TI Lookup, and Safebrowsing, ANY.RUN delivers deep visibility into malware behavior, threat intelligence, and web-based risks. These tools help organizations track emerging threats, extract indicators of compromise (IOCs), investigate suspicious files and URLs, and enhance their security posture.