Haskers Gang distributes ZingoStealer Malware, an information-stealing malware for free to other cybercriminals free. The malware is capable of allowing hacking groups to leverage the tool for atrocious purposes.
According to Cisco Talos researchers Edmund Brumaghin and Vanja Svajcer “It features the ability to steal sensitive information from victims and can download additional malware to infected systems. In many cases, this includes the RedLine Stealer and an XMRig-based cryptocurrency mining malware that is internally referred to as ‘ZingoMiner.'”
On Thursday Haskers Gang claimed the ownership of the ZingoStealer project changing hands to a new threat actor. They further revealed to sell the source code for a negotiable price of $500.
Haskers Gang has been active at least since January 2020, while ZingoStealer since its inception last month has been undergoing consistent development. It has been specifically targeting Russian-speaking victims by packaging it as game cheats and pirated software.
The deadly malware can also harvest sensitive information which includes credentials, stealing cryptocurrency wallet information, and mining cryptocurrency on victims’ systems. Telegram is used as an exfiltration channel as well as a platform to distribute updates to leverage the malware.
Anyone can own it for $3 and encase it in a custom crypter called ExoCrypt, enabling it to evade antivirus defenses without relying on a third-party crypter solution.
According to the researchers, with the incorporation of the XMRig cryptocurrency mining software into the stealer, the malware author tries to further monetize their efforts by using systems infected by affiliates to generate Monero coins.
The malicious campaigns to deliver the malware present themselves as a game modification utility or a software crack. While the threat actors post YouTube videos advertising the tools’ features and their descriptions. This includes a link to an archive file hosted on Google Drive or Mega that contains the ZingoStealer payload.
Cisco Talos explained the executables are also being hosted on the Discord CDN. This increases the possibility of the info stealer being disseminated within gaming-related Discord servers.By this time ZingoStealer is fashioned as a .NET binary capable of collecting system metadata and information stored by web browsers such as Google Chrome, Mozilla Firefox, Opera, and Opera GX. Additionally, it can also siphon details from cryptocurrency wallets.
The malware is also capable of deploying secondary malware at the discretion of the attacker. This includes RedLine Stealer, a feature-rich information stealer that plunders data from various applications, browsers, and cryptocurrency wallets and extensions. Perhaps this is the reason why ZingoStealer is being offered for free by the authors of the malware.
The researchers finally said, “Users should be aware of the threats posed by these types of applications and should ensure that they are only executing applications distributed via legitimate mechanisms.”
North Korean Lazarus Hacking Group Caught Spying on Chemical Sector Companies
US disrupts Cyclops Blink Botnet Prior to Being used in Attacks
Chinese hackers Exploit VLC Media Player to launch Malware Attacks