ZombieBoy cryptomining malware exploits CVEs to evade detection

ZombieBoy cryptomining malware exploits CVEs to evade detection

ZombieBoy malware makes $1,000 Monero on a monthly basis.

An independent security expert James Quinn has discovered a new family of cryptominers that has been dubbed as ZombieBoy. According to Quinn’s analysis, the newly discovered cryptomining worm clocked in at 43 KH/s which means as per the on-going Monero rate, it is making $1,000 on a monthly basis.

But, that was before the closure of one of its addresses on MineXMR, a Monero mining platform. The cryptominer malware uses Simplified Chinese language, which hints at its possible links to China. Perhaps, the malware originated in China.

In his blog post, Quinn explains that this particular family of cryptominers is quite similar to the massminer, which was identified earlier in May, and that the malware has been named as ZombieBoy because it utilizes the ZombieBoyTools. It is worth noting that ZombieBoyTools has links with Iron Tiger APT, which is a Gh0st RAT variant and also has Chinese origins.

Using this tool, the malware manages to drop its first dll (dynamic link library) file. Moreover, Quinn claims that the worm uses different exploits to spread extensively into the system.
But, there is one thing that differs between massminer and ZombieBoy, which is that ZombieBoy doesn’t use MassScan for new hosts scanning. Instead, it uses WinEggDrop.

An interesting yet concerning aspect identified by Quinn is that the cryptominer is being updated constantly. In fact, he claims to be acquiring new samples of the miner every day. Moreover, the malware can exploit multiple CVEs for evading security programs. These include an RDP vulnerability CVE-2017-9073, and Server Message Block exploits CVE-2017-0143 and CVE-2017-0146.

The malware also uses DoublePulsar and EternalBlue exploits for the creation of backdoors. Since it can create multiple backdoors, therefore, it opens the gate for other malware infections such as keyloggers, ransomware, and similar malicious software. This feature further increases its chances of successful compromising of the system while makes it much difficult for security experts to identify and remove infections.

ZombieBoy cryptomining malware exploits CVEs to evade detection

What makes the malware even harder to detect is the fact that it doesn’t run on VMs (virtual machines), which make it difficult for security experts to perform reverse engineering or even capturing it. This is why developing a strategy to address the issue has become a troubling issue for researchers.

There are several measures that companies can undertake to stop threats like the ZombieBoy or at least limit the risk level. According to security researchers at IBM, it is important to block C&C traffic because ZombieBoy uses exploits like the EternalBlue and DoublePulsar, which rely upon C&C traffic (SMB_EternalBlue_Implant_CnC and SMB_DoublePulsar_Implant_CnC).

Another remedy is to develop smart, integrated security systems that can respond to multiple attack threats from DDoS to cryptomining and ransomware. This can be ensured by enabling 2FA and developing stronger web application firewalls.

Image credit: Depositphotos

Related Posts