Haskers Gang, a crimeware-related threat actor, has distributed ZingoStealer, an information-stealing malware, for free on the internet, allowing other criminal groups to use it for nefarious purposes.
In a study posted with The Hacker News, Cisco Talos researchers Edmund Brumaghin and Vanja Svajcer noted, “It features the capacity to collect personal information from users and can download further malware to afflicted devices.”
“This includes the RedLine Stealer and an XMRig-based cryptocurrency mining malware known as ‘ZingoMiner’ internally in many cases.”
However, in an unexpected twist, the criminal organisation declared on Thursday that ownership of the ZingoStealer project will be transferred to a new threat actor, as well as offering to sell the source code for a negotiating sum.
ZingoStealer has been under constant development since its start last month, and it is reported to have been deliberately targeted at Russian-speaking victims by being packaged as game hacks and unlicensed software. Since at least January 2020, the Haskers Gang has been operating.
The virus uses Telegram as an exfiltration route as well as a platform to distribute updates, in addition to harvesting sensitive information such as credentials, stealing cryptocurrency wallet information, and mining bitcoin on victims’ PCs.
Customers can pay $3 to wrap the malware in a bespoke crypter called ExoCrypt, which allows it to circumvent antivirus defences without requiring the use of a third-party crypter solution.
According to the researchers, the inclusion of the XMRig cryptocurrency mining software in the stealer is an attempt by the malware author to monetize their work by exploiting PCs infected by affiliates to earn Monero currencies.
The virus is distributed via malicious campaigns disguised as a game modification utility or a software crack, with threat actors promoting the tool’s features and description on YouTube, along with a link to an archive file housed on Google Drive or Mega that includes the ZingoStealer payload.
Cisco Talos, on the other hand, pointed out that the executables are also hosted on the Discord CDN, raising the likelihood that the infostealer is spreading through gaming-related Discord communities.
ZingoStealer, on the other hand, is a.NET programme that can capture system metadata and information held by web browsers like Google Chrome, Mozilla Firefox, Opera, and Opera GX, as well as information from cryptocurrency wallets.
Furthermore, the virus is capable of deploying secondary malware at the attacker’s discretion, such as RedLine Stealer, a more feature-rich information stealer that steals data from a variety of apps, browsers, cryptocurrency wallets, and extensions. This could explain why the virus creators are giving ZingoStealer away for free to anyone who wants it.
“Users should be aware of the hazards posed by these types of programmes,” the researchers added, “and should verify that they are only executing software supplied through legitimate means.”