ZingoStealer: The new, free malware-as-a-service variant
On March 18, 2022, the Telegram public group published a post detailing the release of the latest version of their ZingoStealer malware, a data stealer targeting Windows devices. The group created a chat bot to field information requests, deliver more information and even enable downloads of ZingoStealer.
Later, the developer announced that cryptomining functionality was added to the stealer in order to maximize profits from its operations. In April of 2022, the developer reported that he was handing this project over to another threat actor in order to deal with personal problems. The chat bot was updated accordingly.
With ZingoStealer, the threat actor only provides access to the malware, logs and the stolen information. Individuals who want to use ZingoStealer must find their own way to get it onto victims’ machines.
The ZingoStealer sample is a PE32.NT application with a fake compilation timestamp. It has hidden strings, classes and function names. It also has a control flow obfuscation with many jump cases that simply calculate numbers, which are not used during execution.
Once executed, ZingoStealer connects to the remote server to download additional files.
These files are dropped in the same folder where the malware was originally executed. All downloaded files are .dll files. Additionally, ZingoStealer creates two subfolders where it drops the “SQLite.Interop.dll” file in x64 and x86 formats.
All downloaded files are legitimate libraries such as:
· SQLite.Interop.dll: SQLite library
· BouncyCastle.Crypto.dll: cryptographic library
· DotNetZip.dll: library for compressing files into an archive
· Newtwonsoft.JSON.dll: JSON framework for .NET
· Systems.Data.SQLite.dll: SQLite library
From there, it checks the local system time and begins to gather information.
ZingoStealer creates the folder “GinzoFolder” in the “C:\Users\User\AppData\Local” path and begins to collect information related to browsers, desktop files and folders, wallets and system data. It also takes a screenshot of the user’s monitor at the time of execution.
To extract browser information, ZingoStealer performs various requests to obtain data from cookies and login databases. These requests are different for each browser.
ZingoStealer includes classes with the right functions for interacting with SQL databases. These classes only work with previously downloaded libraries.
From there, it copies all folders and certain files from the desktop.
After obtaining the system information through the register, it saves it to the “System.txt” file.
Once all the information is collected, ZingoStealer compresses its folder into a .zip archive with the help of one of the downloaded .dll files.
After compressing the folder, ZingoStealer connects to the remote server and uploads the .zip archive file.
Finally, it drops one more file with a random number in its name and executes it. This file is a cryptominer.
ZingoStealer obfuscates sample strings, classes, and function names, but they can be repaired with the “de4dot” utility. This malware also obfuscates control flows with many jump cases, but these simply run various calculations, which are not used during the execution.
Detected by Acronis
ZingoStealer malware first appeared in March 2022, and was offered as free Windows data stealer. It can collect various information from browsers, wallets and users’ desktops. It also obtains system information from the registry and even takes a screenshot to document its activity. The original sample (where the infection starts) is an obfuscated .NET application that downloads and drops even more files, including a cryptominer.
ZingoStealer is a recent version of malware that shows how important it is to continue to use the most effective anti-malware solutions possible. In a world where cyberthreats are constantly evolving, these solutions must be capable of identifying even never-before-seen malware, so they can immediately shut it down before harm can be done to your protected systems or data.
Did you find this article valuable?
Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!