The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.
The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.
Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.
The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.
The ZombieBoy mine leverages several exploits, including:
ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.
Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.
According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.
The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.
“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.
Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.
The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.
Further details including IoCs are reported in the analysis published by the expert.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – miner, Monero)