A Security researcher has spotted a new family of crypto mining malware dubbed Zombieboy
A Security researcher has spotted a new family of crypto mining malware dubbed Zombieboy. James Quinn, an independent security researcher, discovered the crypto mining malware which uses exploits to spread. The malware got the name Zombieboy from the ZombieBoyTools kit which it uses to drop the first.DLL or dynamic link library file. ZombieBoy is highly infectious crypto mining worm like MassMiner, but it uses WinEggDrop instead of MassScan to search for new hosts. The malware leverages several exploits during its execution which includes
- CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
- CVE-2017-0143, SMB exploit
- CVE-2017-0146, SMB exploit
Working of Zombieboy
Zombieboy uses the EternalBlue/DoublePulsar exploits to remotely install the main dll using ZombieBoyTools. Once the backdoor is established in the target system, it could open ways for other malware families such as the keylogger, ransomware. 64.exe is the first module downloaded by the Zombieboy and 64.ex uses DoublePulsar exploits to install both the SMB backdoor and RDP backdoor. An overview of ZombieBoy’s execution is below:
“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” said in the blog post published by James Quinn The malware is capable of detecting VM (Virtual machine) and doesn’t run on it so making it more difficult for security experts to detect it. According to the blog post, the malware uses Simplified Chinese language and appears to be of Chinese origin. The researcher also said that the crypto miner malware is being continually updated and is observing new samples daily.