ZombieBoy is a collection of remote access trojans (RAT) used to automatically identify and infect devices with cryptocurrency miners.
The initial malware package, ZombieBoy.dll, is delivered using the EternalBlue and DoublePulsar exploits, with potential targets identified using the WinEggDrop port scanner. Once this is installed several files are executed.
These are a sequence of executable files which initially download over 70 files These include the XMRig module, the exploits and a copy of itself on the device It obtains the user’s IP address, scans for new devices, downloads and execute a Gh0stRat variant the RAT that collects system and user information. Whilst remaining heavily encrypted.
The final RAT file is used to decrypt and install Loader.dll, another RAT that creates registry entries and runtime objects to ensure persistence.
Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 USD per month at current Monero prices.
ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.
ZombieBoy makes use of several exploits during execution:
- CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
- CVE-2017-0143, SMB exploit
- CVE-2017-0146, SMB exploit
Full technical report here
Indicators of Compromise / What To Block
- ca.posthash[.]org – HFS (http file server)
- sm.posthash[.]org – HFS (http file server)
- dns.posthash[.]org – C2 server
- sm[dot]hashnice[dot]org – HFS (http file server)
- Minexmr[.]com – Old mine address
- minexmr[.]org – Current mine address
MD5 File Hashes