ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.
Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.
According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.
The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.
“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.
Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.
The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.
Further details including IoCs are reported in the analysis published by the expert.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.