1 of 38

How Do You Say β€œHelp” in Chinese?

Defending Against Fake Support Tickets

2 of 38

About us

Mauro CΓ‘seres

Threat Management Specialist @ Bitso

Quetzal Team Leader

2

www.hackerhalted.com

Emilio Revelo

Security Engineering Manager @ Bitso

Quetzal Team Member

3 of 38

About this talk

This talk is about Zhong Stealer, a malware from China πŸ‡¨πŸ‡³.

It's distributed using a particular method: fake support tickets 🎟️.

3

www.hackerhalted.com

4 of 38

Why target Help Desk?

Privileged access to workstations, internal systems and users info πŸ‘©πŸ»β€πŸ’».

Anyone can reach Help Desk πŸ₯Έ.

Many support agents 🎭.

4

www.hackerhalted.com

5 of 38

Who targets Help Desk?

Initial Access Brokers: buy and sell credentials, VPNs and any access πŸͺͺ.

Malware Devs/Ops: gather credentials, data and financial gain πŸ’°.

5

www.hackerhalted.com

6 of 38

Zhong Stealer

First spotted by us on December, 22th, like a Christmas gift 🎁.

Targets companies in the Fintech and Crypto sectors 🧳.

6

www.hackerhalted.com

7 of 38

Zhong Stealer

Chinese-speaking actors opened tickets sharing false problems πŸ†˜.

They attached the malware sample disguised as "a screenshot" πŸ–ΌοΈ.

7

www.hackerhalted.com

8 of 38

Zhong Stealer

8

www.hackerhalted.com

9 of 38

Zhong Stealer

9

www.hackerhalted.com

10 of 38

Zhong Stealer

10

www.hackerhalted.com

11 of 38

Zhong Stealer

11

www.hackerhalted.com

12 of 38

Zhong Stealer

We started collecting samples from every interaction πŸ”¬!

🦠 Android θ‡ͺη”±ζˆͺε›Ύ_20241220.zip

🦠 图片_20241224 (2).zip

🦠 图片_20241224.exe

🦠 εœ–η‰‡2024122288jpg.exe

🦠 图片_20241220.exe

12

www.hackerhalted.com

13 of 38

Zhong Stealer

13

www.hackerhalted.com

14 of 38

Zhong Stealer

This makes it impossible to track malware families and campaigns πŸ”Ž.

So we analyzed it and named it "Zhong Stealer" 🏷️.

14

www.hackerhalted.com

15 of 38

Reversing Zhong Stealer

Initial reversing revealed samples to be a first stage: a Loader πŸͺ€.

Loaders prepare the system to run the full malware and download more components πŸ”§.

15

www.hackerhalted.com

16 of 38

Reversing Zhong Stealer

16

www.hackerhalted.com

17 of 38

Reversing Zhong Stealer

Other components were downloaded from Alibaba Cloud next πŸ“¦.

A .DLL library, a .Log file and the next stage .Exe file πŸ“„.

17

www.hackerhalted.com

18 of 38

Reversing Zhong Stealer

18

www.hackerhalted.com

19 of 38

Reversing Zhong Stealer

Connects to exfiltration servers in China and Hong Kong πŸ“ž.

19

www.hackerhalted.com

20 of 38

Reversing Zhong Stealer

20

www.hackerhalted.com

21 of 38

Reversing Zhong Stealer

Creates persistence through Windows Registry and Scheduled Tasks πŸ—“οΈ.

21

www.hackerhalted.com

22 of 38

Reversing Zhong Stealer

22

www.hackerhalted.com

23 of 38

Reversing Zhong Stealer

23

www.hackerhalted.com

24 of 38

Reversing Zhong Stealer

Samples are signed with stolen certificates belonging to chinese companies ✍🏻.

Some samples even pose as antimalware solutions πŸ‘¨πŸ»β€βš•οΈ.

24

www.hackerhalted.com

25 of 38

Reversing Zhong Stealer

25

www.hackerhalted.com

26 of 38

Reversing Zhong Stealer

Eventual victims will find their digital accounts for sale on underground markets πŸ΄β€β˜ οΈ.

Corporate access faces worse fates, being sold to ransomware gangs for later extortion πŸ”.

26

www.hackerhalted.com

27 of 38

Reversing Zhong Stealer

27

www.hackerhalted.com

28 of 38

Reversing Zhong Stealer

28

www.hackerhalted.com

29 of 38

Reversing Zhong Stealer

29

www.hackerhalted.com

30 of 38

Reversing Zhong Stealer

As most malwares do, it covers its track by disabling Windows Event Logging πŸ”¨.

This complicates Systems and Security Engineers work πŸ‘·πŸ»β€β™‚οΈ.

30

www.hackerhalted.com

31 of 38

Reversing Zhong Stealer

31

www.hackerhalted.com

32 of 38

Reversing Zhong Stealer

But we were able to stop it on its tracks and map its infrastructure and TTPs 🧠.

Here's the MITRE ATT&CK Matrix πŸ€–.

32

www.hackerhalted.com

33 of 38

Reversing Zhong Stealer

33

www.hackerhalted.com

34 of 38

More about Zhong Stealer

34

www.hackerhalted.com

35 of 38

Conclusions

Security is a team journey πŸ«‚.

Cybercriminals believe Help Desk to be weakest link. Let's prove them wrong by training our teams and working closely together πŸ«±πŸ½β€πŸ«²πŸΎ.

35

www.hackerhalted.com

36 of 38

Conclusions

Start reversing today.

There's a lot to discover and learn πŸ”¬.

Remember that malware is not a toy.

Beware when trying to reverse strains at home... πŸ₯½

36

www.hackerhalted.com

37 of 38

Conclusions

Having said that:

Everyone deserves a name.

Adopt an unnamed malware strain today and write about it ✍🏻.

37

www.hackerhalted.com

38 of 38

Contact

Mauro CΓ‘seres

@MauroEldritch

Linkedin: Mauro Eldritch

38

www.hackerhalted.com

Emilio Revelo

Linkedin: Emilio Revelo