We identified more than 400 samples for Ginzo stealer within 10 days since 20th March and the numbers are rising. What is behind the free stealer?
We discovered and announced Ginzo stealer on March 24, 2022. A Youtube video, discovered by @3xp0rtblog, showcases the first release. It was uploaded on 4th of March.
The description below the video states that the stealer is provided for free, which is most likely a marketing technique to get criminal buyers hooked.
If that is a marketing technique, it has worked well for the criminals. Just counting the samples we saw between 20th and 30th of March, we found more than 400 Ginzo stealer binaries on VirusTotal.
Ginzo's Telegram channel states that the stealer is for sale by now.
Ginzo stealer is obfuscated with ConfuserEx resulting in error messages when trying to decompile the code. That is because the type initializer .cctor decrypts the actual code on the fly. It also initializes data required for string decryption.
Automatic deobfuscation with tools like de4dot is not sufficient anymore. A combination of debugging (to obtain the decrypted code and strings), static analysis and manual deobfuscation is necessary to obtain readable code.
Ginzo stealer first downloads the following additional libraries from its C&C server:
Due to improper exception handling the stealer crashes some time later if these libraries cannot be downloaded.
The stealer requests a ginzolist.txt from the C&C server. This text file contains addresses of additional download locations for executables. In our tests the file contained two entries that instruct Ginzo to download antiwm.exe and generation.exe. The file antivm.exe is a malicious coinminer and generation.exe is another .NET based stealer, specializing on Discord tokens. Both of these files are packed.
Ginzo creates a folder named GinzoFolder in %LOCALAPPDATA% (see picture below). It stores all the extracted system data there, like screenshots, credentials, cookies, telegram data, and cryptocurrency wallets. The stealer creates a file named System.txt to store generic system information, which includes the IP address, operating system, username, computername, screen resolution, graphics card, processor, RAM, launch time and the Ginzo stealer telegram channel. The stealer also stores a datetime value in ChromeUploadTime.txt for making sure that the stolen data is not sent too often to the threat actor.
A listing of GinzoFolder contents and contained data is in the IoC section at the bottom.
Ginzo obtains the following data from the system:
The stealer then contacts the C&C and starts with sending statistics about the stolen data:
The digits that are sent via the data parameter are likely some kind of ID for the stealer binary.
Ginzo saves the files from GinzoFolder into ginzoarchive.zip and sends the archive to the C&C server.
Ginzo is a full fledged stealer that has become widely used in a relatively short amount of time. It is yet another stealer that we may have to deal with in the following years if the Ginzo threat actors stay in the game.
When criminals provide something for free, it is most likely not charity. It may be used to improve reputation, to hook future buyers, and in this case also to get stolen data while letting others do the job of spreading the malware, since all the data is funneled to the server of the Ginzo threat actors.
Below are listings for IoCs and targeted cryptowallets
| Ginzo stealer||3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa|
| antiwm.exe, coinminer||ee1524e4980cac431ae0f92888ee0cc8a1fa9e7981df0be6abd7efa98adf9a45|
| generation.exe, Discord token stealer||a9a42ca72be1083b57ee9542925cda5211606b5d07b7b0be21516762e1680124|
| Download URLs|
| Submitted CnC data||hxxps://nominally.ru/g1nzo.php?data=1148674342&countc=<cookie_count>&countp=<password_count>&country=<country>&ip=<ip_address>&countw=<cryptowallet_count>"|
| Folder with stolen data||%LOCALAPPDATA%\GinzoFolder\|
| General system data||%LOCALAPPDATA%\GinzoFolder\System.txt|
| Screenshot of infected system||%LOCALAPPDATA%\GinzoFolder\Screenshot.png|
| Last time when stolen data was sent to server||%LOCALAPPDATA%\ChromeUploadTime.txt|
| Extracted browser data||%LOCALAPPDATA%\GinzoFolder\Browsers\|
| Extracted cryptocurrency wallets||%LOCALAPPDATA%\GinzoFolder\Wallets\|
| Copied files from Desktop||%LOCALAPPDATA%\GinzoFolder\Desktop Files\|
| Archive containing all files from GinzoFolder||%LOCALAPPDATA%\GinzoFolder\ginzoarchive.zip|
Ginzo stealer targets among others cryptocurrency data and obtains them from either Chrome extensions or folders on the user system:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
|Coinbase||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad|
|TronLink||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec|
|MathWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc|
|MetaMask||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn|
|NiftyWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid|
|BraveWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl|
|BinanceChain||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp|
|BitAppWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi|
|iWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj|
|Wombat||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih|
|EquallWallet||%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac|