A sophisticated malware campaign leveraging social engineering tactics has targeted financial technology and cryptocurrency platforms between December 20–24, 2024.
Dubbed Zhong Stealer, this previously undocumented threat employed compromised AnyDesk installations and phishing lures to infiltrate systems, stealing credentials and establishing persistent access.
The campaign represents a significant escalation in attacks against high-value financial sectors, combining technical sophistication with psychological manipulation.
.png
)
The attackers exploited customer support channels, particularly Zendesk, to submit fabricated support tickets from newly created accounts.
Posing as Chinese-speaking users seeking assistance, they attached ZIP archives containing malicious executables disguised as image files (图片_20241224.exe).
Besides this, the analysts at Any.run noted that the support agents who extracted these archives unknowingly executed the malware, initiating a multi-stage attack chain.
.webp)
Zhong Stealer’s Four-Stage Attack Methodology
Upon execution, Zhong Stealer contacted a command-and-control (C2) server hosted on Alibaba Cloud in Hong Kong (156.245.23.188:1131).
The malware downloaded an encrypted inventory file (uu.txt) containing URLs for secondary payloads:-
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dII These components were signed with a stolen certificate from Morning Leap & Cazo Electronics Technology, falsely attributed to BitDefender to evade detection.
The malware created a randomized 4-digit batch file (4948.bat) in the %TEMP% directory, executing system utilities to hide its activities:
Conhost.exe /detach /forceV1
Attrib.exe -h -r "C:\Users\admin\efb86bf7-1100-400c-ad4d-828b8dce7be0@27\down.exe" It then added a registry entry for persistence:-
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"DOWN"="C:\Users\admin\efb86bf7-1100-400c-ad4d-828b8dce7be0@27\down.exe" A scheduled task ensured execution post-reboot, using schtasks.exe to maintain redundancy.
Zhong Stealer targeted browser data across Brave, Edge, and Chrome, extracting:-
- Saved credentials via Login Data SQLite databases
- Session cookies from Cookies files
- Extension configurations (Local Extension Settings)
It specifically searched for cryptocurrency wallet extensions (MetaMask), enumerating directories like:-
C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjh Stolen data was transmitted via TCP port 1131 to the C2 server using AES-encrypted channels. Network analysis revealed exfiltration patterns matching the T1571 MITRE tactic (Non-Standard Port Usage).
.webp)
Experts recommended the organizations to:-
- Block outbound connections to Alibaba Cloud IP ranges on non-standard ports
- Deploy YARA rules detecting Zhong’s SHA256 hashes (02244934046333f45bc22abe6185e6ddda033342836062afb681i827f)
- Monitor registry modifications to RUN keys and unexpected Conhost.exe executions
The combination of stolen code-signing certificates, regionalized phishing lures, and cloud-based C2 infrastructure makes Zhong Stealer a persistent threat to financial institutions.
Proactive sandbox analysis of support ticket attachments, coupled with strict application allowlisting, remains critical to mitigating risk.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| C2 IP | 156.245.23.188, 47.79.64.228 |
| URL | hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe |
| SHA256 | e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c5b8cd |
| Registry Key | HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN |
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
