ZombieBoy: New Crypto-Mining Malware Exploits Multiple CVEs

A new cryptomining malware called Zombieboy is on the prowl. Recently, this new addition to the cryptomining dynasty has clocked in at $1,000 per month.

James Quinn, an independent security researcher investigated ZombieBoy in AlienVault this month. The malware got its name from the ZombieBoyTools kit which is the kit used by the malware in the dropping of its first .DLL or dynamic link library file. ZombieBoy is an extremely infectious worm, just like MassMiner, however, it utilizes WinEggDrop instead of MassScan in the identification of its new hosts.

According to researcher Quinn, this new malware was raking in right around $1000 per month in cryptocurrency before the recent shutdown of one its addresses located on Monero mining pool MineXMR. The likely origin of ZombieBoy is believed to be China. This is based on the malware’s utilization of the Simplified Chinese Language.

ZombieBoy compromises the networks it infects by exploiting numerous vulnerabilities. These include CVE-2017-9073 which is essentially a remote desktop protocol or RDP vulnerability on Windows XP and on Windows Server 2003, and Server Message Block or SMB exploits CVE-2017-0146 and CVE-2017-0143. Next, EternalBlue and DoublePulsar are used by the malware in the creation of numerous backdoors. This increases its chances of compromising the network whilst also making it more difficult for IT parties to eradicate its infections.

Encrypted with Themdia, ZombieBoy will not run on VMs (virtual machines), making capturing and reverse engineering the cryptomining malware a difficult task. Additionally, this ultimately limits both the development and effectiveness of countermeasures.

The malware has been linked to IRON TIGER APT, another Chinese malware that is a variant of Gh0stRAT, as well as other malware variants with Chinese origin, which is an ultimate suggestion of both persistence and continuous evolution.

Please leave any comments about this article below:

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients