Multiple Cves are Exploited by the New Cryptomining Malware - ‘Zombieboy’

ZombieBoy, the latest cryptomining malware, is on prowl. James Quinn, a security researcher, found the latest strain of cryptomining malware named as ZombieBoy, which appeared to be highly lucrative and leverages many exploits for avoiding detection.

This new ZombieBoy malware has got the name from ZombieBoyTools kit. This malware used this kit for dropping its first dynamic link library (DLL) file. Similar to MassMiner, ZombieBoy is also a highly infectious worm. However, ZombieBoy uses WinEggDrop in place of MassScan for searching new hosts in order to infect.

As per Quinn, a security researcher, this ZombieBoy malware was raking approximately $1,000 of cryptocurrency every month before one its addresses situated at Monero mining pool MineXMR was shutdown recently. The ZombieBoy most probably originated from China as Simplified Chinese language is used by the cryptocurrency, which shows that a Chinese coder is its author.

The networks infected by ZombieBoy are compromised by exploiting several vulnerabilities that exist in the network. These vulnerabilities comprise of CVE-2017-9073 that is essentially RDP (Remote Desktop Protocol) vulnerability on Windows Server 2003 and Windows XP, and SMB (Server Message Block) exploits CVE-2017-0143 and CVE-2017-0146.

Both EternalBlue and DoublePulsar, the NSA-linked exploits, are used by ZombieBoy malware for creating various backdoors. This further increases the possibility of network being compromised, and also raises difficulty for the IT parties to remove its infections.

Encrypted with Themdia, this cryptomining malware has the capability to detect virtual machines (VM), thus they cannot be run on the VMs. This further makes malware detection as well as reverse engineering the ZombieBoy malware a tough task. Moreover, this also limits both effectiveness and development of countermeasures.

The malware is being linked to another Chinese malware, IRON TIGER APT, which is a Gh0stRAT variant. This malware also finds its link with other Chinese origin malware variants, which implies that the malware will be persistent and will evolve continuously.

The 64.exe module that is downloaded by the ZombieBoy uses DoublePulsar exploit for installing both RDP backdoor and SMB backdoor, as per Quinn. These double backdoors of ZombieBoy can make a gateway for the cryptomining malware along with keyloggers, various other malicious tools and ransomware.

» SPAMfighter News - 8/13/2018