Cybersecurity Alert - New Malware Targeting Firm Customer Support Personnel
New Malware (Zhong Stealer) and Social Engineering Techniques Targeting Customer Support Systems
Impact: All Firms
FINRA members should review this information with any personnel who communicate with clients and with vendors who may provide call center services to the firm.
Firms could be vulnerable to a newly discovered social engineering scheme in which bad actors trick customer support personnel into downloading and executing malware. This Alert describes the scheme and provides recommendations to help firms protect themselves from the threat.
Background
Any.Run1 first observed the Zhong Stealer scheme Dec. 20-24, 2024. During the scheme, a bad actor poses as a customer of a financial services firm and interacts with customer support center personnel via a chat support platform. Over the course of the interaction, the purported customer leverages social engineering techniques to deploy credential stealer malware. In each instance, Any.Run identified a pattern in which the purported customer:
- Opened a new support ticket from a newly created, empty account;
- Used broken language and asked for help in Chinese;
- Attached to the chat a ZIP file containing screenshots or additional details; and then
- Insisted support staff open the file, growing frustrated with call center personnel when they refused.
If the customer support personnel opens the ZIP file, Zhong Stealer queries a command and control (C2) server based in Hong Kong hosted by Alibaba Cloud. After establishing persistence, the malware attempts to harvest browser credentials and browser extension data before exfiltrating the stolen data to its Hong Kong-based C2 server.
Once deployed, Zhong Stealer utilizes the following techniques to inflict damage.2
- Disabling Event Logging (T1562) to prevent security tools from recording malicious activity.
- Gaining Persistence via Registry Keys (T1547) to ensure automatic execution at startup.
- Harvesting Credentials (T1552) to extract saved passwords, browser session data and authentication tokens.
- Scheduling Tasks (T1053) to maintain persistence even after system reboots.
- Communicating via Non-Standard Ports (T1571), such as port 1131, to transmit stolen data to a command-and-control (C2) server in Hong Kong.
Further, the Any.Run blog post identifies several Indicators of Compromise (IOCs) that firms should be on the lookout for.
Recommendations to Protect Your Firm
To protect against Zhong Stealer and similar social engineering-based malware, FINRA recommends the following actions.
- Train customer support teams to recognize social engineering / phishing tactics and avoid opening suspicious file attachments in support chats.
- Restrict ZIP file execution from unverified sources and enforce zero-trust security policies to prevent unauthorized file access.
- Monitor outbound network traffic for suspicious C2 connections, especially to non-standard ports like 1131.
- Use sandboxing tools to safely open and analyze unknown executables, observe their behavior, and extract critical IOCs before the malware can spread.
Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).
FINRA asks member firms to please report any critical system or business operations issues to your Risk Monitoring Analyst.
Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.
If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.
1Any.Run is a cybersecurity company who provides threat intelligence information, threat feeds, security lab training and sandbox environments for analysis of files/software.
2This malware employs a variety of Tactics, Techniques and Procedures (TTPs), which can be mapped to the MITRE ATT&CK framework. Techniques represent 'how' an adversary achieves a tactical goal by performing an action. Each Technique is assigned a unique identifier, usually in the format "T#,” where the number corresponds to its place in the framework.
2This malware employs a variety of Tactics, Techniques and Procedures (TTPs), which can be mapped to the MITRE ATT&CK framework. Techniques represent 'how' an adversary achieves a tactical goal by performing an action. Each Technique is assigned a unique identifier, usually in the format "T#,” where the number corresponds to its place in the framework.