BlackBerry Prevents ZingoStealer

ZingoStealer is infostealer malware that uses the appeal of “free” software to attract both predators and prey. This infostealer was first spotted in March 2022 being distributed by the Russian threat group, “Haskers Gang.” A YouTube video, uploaded on March 4 by the Haskers Gang, presents the infostealer as free to the threat actor’s “members,” and distributed through the Ginzo Telegram channel. ZingoStealer targets Windows® systems. For $3, an alternate version of this threat is available that contains “ExoCrypt” crypter, to help it evade antivirus (AV) detection.

The offer to obtain the infostealer free of charge has led to a dramatic increase in its adoption. Home users seem to be the primary victim of this threat. ZingoStealer lures its victims with the promise of “free” software, as it disguises itself as an access point for “cracked” versions of popular videogames and programs.

Once ZingoStealer gains access to a system, it steals sensitive user data such as login credentials and cryptocurrency. This information is exfiltrated back to the command-and-control (C2) server and used by the attackers for financial gain. Other threat actors who adopt this infostealer may also be getting “ripped off” by this free offer, as the original authors of Zingostealer retain access to all data stolen by their clients, and could profit from it before their clientele.

ZingoStealer is potentially more dangerous than many of its fellow infostealers because it can deliver additional malicious payloads to victims’ machines. For example, the threat has been observed dropping cryptominers such as XMRig and additional infostealers such as RedLine.

See how BlackBerry prevents ZingoStealer attacks in our latest demo video, which shows BlackBerry® products going head-to-head with a live sample of ZingoStealer.

DEMO VIDEO: BlackBerry vs. ZingoStealer

Learn more about ZingoStealer in our deep dive blog: Threat Thursday: ZingoStealer – The Cost of “Free”

Figure 1 – CylanceOPTICS conducts a root cause analysis to track ZingoStealer within the system, providing real-time prevention and detection information.

Figure 2 – CylancePROTECT prevents ZingoStealer from running within milliseconds, stopping the attack before it occurs.

BlackBerry Protects Against ZingoStealer

CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. CylanceOPTICS® extends the threat protection by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  

BlackBerry Assistance  

Regardless of your current BlackBerry relationship, the BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.   

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

Video Transcription 

In this video, we are going to explore ZingoStealer, an infostealer that targets sensitive user data such as login credentials and cryptocurrencies, but also downloads other malicious payloads like cryptominers. To conduct this test, we’ve configured our system in Audit-Only mode.

Upon execution, ZingoStealer unpacks files that may appear hidden to the regular user. It subsequently executes a second file, immediately running instructions via Command Line, which we can see in much more detail if we conduct a root cause analysis in CylanceOPTICS.

We can see that it executes an obfuscated PowerShell script and many other instructions via Command Line, affecting the system and establishing persistence. It also makes multiple modifications to system policies, process enumeration, and more. ZingoStealer initially injects as an updater.exe, and here we can see how many iterations of command shells were entered to steal information from the victim.

ZingoStealer attacks can be entirely prevented by using AI-based endpoint security. The CylancePROTECT temporal predictive advantage could have stopped this threat almost seven years before its creation. If we copy this file on our system, and we try to execute it, you can see that ZingoStealer is prevented from running in milliseconds.

Prevention is possible, with BlackBerry.

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back