A new malware threat has surfaced online, adding to the list of existing infostealers. Identified as “ZingoStealer,” the malware can not only steal data, but can also execute crypto thefts. Plus, this malware can also serve as a malware loader and cryptominer.
ZingoStealer Malware Appears As A Whole Malicious Package
Researchers from Cisco Talos have elaborated on a new infostealer malware “ZingoStealer” in a recent post.
As explained, ZingoStealer is a potent data stealer, aiming at victims’ information including banking details, credit card information, cryptocurrency wallets, and login credentials. Moreover, the malware also exhibits Monero-mining capabilities for which it abuses the target devices’ resources.
Regarding the malware, briefly, it is a .NET executable that retrieves .NET dependencies to achieve the core malware functionality according to the C&C commands. Once done, it stores the retrieved DLLs in the folder it resides in the target system. The malware then creates a directory structure to store the stolen data until forwarding it to the attacker.
For stealing the desired information, the malware scans all popular web browsers (to steal credentials and other browser-stored information) and device identifier details. Furthermore, it also scans the systems for accessing and stealing any existing account sessions for apps like Telegram and Discord. Besides, it scans the browser for crypto wallets and targets numerous cryptocurrencies.
In addition, ZingoStealer also infects the targeted systems with other malware, such as the Redline stealer. Explaining the use of this second stealer via backdoors, the researchers explained,
The malware author behind ZingoStealer assures ZingoStealer users that they do not access log data generated by ZingoStealer. However, by effectively backdooring ZingoStealer and using it to deliver RedLine Stealer, they can still take advantage of the infections achieved by ZingoStealer users. This allows them to let ZingoStealer users perform the heavy lifting in terms of malware distribution, antivirus evasion, and achieving successful infections, while they passively collect more comprehensive logs from the systems. This also allows them to monetize the infections of all ZingoStealer users simultaneously, maximizing profitability.
Moreover, ZingoStealer also delivers XMRig miners on the target devices to make money passively.
About The Malware Authors
The researchers traced back the malware’s link to the “Hasker’s Gang” that offered the infostealer for free to all its Telegram community members. This easy availability made ZingoStealer popular among criminal hackers.
The authors distribute this malware impersonating various utilities, like Adobe plugins or game modification utilities, promoted via YouTube.
During their study, the malware authors found the campaign presently aimed at Russian users, mainly home users.
However, it remains unclear if the malware authors wish to expand their victim base. The researchers also noticed an ownership transference move on Hasker’s Telegram channel. The authors even have put the ZingoStealer source code for sale for $500.
Let us know your thoughts in the comments.
