Meet ZingoStealer: the Haskers Gang's new, free malware

ZingoStealer is able to spread cryptocurrency mining malware.
Written by Charlie Osborne, Contributing Writer

A new type of information stealer has been added to the Haskers Gang malware portfolio.

On Thursday, researchers from Cisco Talos said that the malware, dubbed ZingoStealer, is being offered for free to Haskers Gang Telegram group members.

Active since at least 2020, the Haskers Gang group isn't your typical, small collective of cybercriminals. Instead, the 'community' comprises of a few founders -- likely based in Eastern Europe -- and thousands of casual members.

Haskers Gang communicates via Telegram and Discord to share 'community' updates, tools, and its latest activities. The Telegram group has just under four thousand subscribers who share tips on cracks, crypters, bypassing security measures and hacking software. Telegram is also abused to manage the malicious executables and exfiltrated data packages.

According to the researchers, the attackers target gamers through cheat codes, pirated software and tend to focus on Russian-speaking victims. 

The new ZingoStealer information stealer can harvest account credentials, Chrome and Firefox browser data, and Discord tokens, among other datasets. In addition, the malware will try to tap into any cryptocurrency wallet credentials held by browser extensions from services including BitApp, Coinbase, Binance, and Brave.

ZingoStealer may also be used in conjunction with other malware strains, including RedLine Stealer. 

RedLine Stealer contains your typical stealer functions alongside the ability to harvest VPN account credentials and login details, impacting vendors including NordVPN, OpenVPN, and ProtonVPN. In January, Fortinet observed the malware being spread in a phishing campaign taking advantage of the COVID-19 pandemic.

Furthermore, ZingoStealer can also be used to deploy a cryptocurrency miner on infected systems. Also known as cryptojacking, cybercriminals may quietly execute a cryptocurrency miner in attacks that steal computing power to mine for coins -- and these virtual assets are sent to wallets controlled by threat actors.

In this case, a custom version of XMRig, a Monero (XMR) miner, is deployed. The hackers internally refer to this miner as "ZingoMiner."

ZingoStealer was first released in March this year. Even though it is a new form of malware, its code has already undergone extensive development, and there are multiple versions in the wild. 

However, while a free version of ZingoStealer has been released, the threat group is also attempting to cash in with a subscription version, also known as malware-as-a-service (MaaS), which costs roughly 300 roubles ($3). This variant also contains a crypter called ExoCrypt. It is possible multiple threat groups will adopt the stealer in the future, especially as a free option is available.

"While the malware is new, Cisco Talos has observed that it is undergoing consistent development and improvement and that the volume of new samples being observed in the wild continues to increase as more threat actors attempt to leverage it for nefarious purposes," the researchers said.

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards