One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 747574 |
| Date de publication | 2018-07-18 13:00:00 (vue: 2018-07-22 02:01:20) |
| Titre | ZombieBoy |
| Texte |
This is a guest post by independent security researcher James Quinn.
Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May. I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.
ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily.
An overview of ZombieBoy’s execution is below:
 Domains
ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads. The URLs that I have identified are below:
ca[dot]posthash[dot]org:443/
sm[dot]posthash[dot]org:443/
sm[dot]hashnice[dot]org:443/
In addition, it appears to have a C2 server at dns[dot]posthash[dot]org.
Exploits
ZombieBoy makes use of several exploits during execution:
CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
Installation
ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .
ZombieBoyTools screenshot
Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it.
Set up
123.exe does several things on execution. First, it downloads the module [1] from its file distribution servers. According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”. After saving the module, it executes it. 64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner.
In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules. The first module is referred to in the code as “74.exe”. This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.
The second module is referred to in the code as “84.exe”. This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin.
64.exe
64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable. First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult. Also, in c |
| Envoyé | Oui |
| Condensat | /62964c5cbb63b62d7dee 135 2kb ; centralprocessor description dns dot files hardware null org:5200/ posthash queried: server: system system/currentcontrolset/services/ system/currentcontrolset/services/bits; zombieboy |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.