ZombieBoy Cryptocurrency RAT & Worm

ZombieBoy is a collection of remote access trojans (RAT) used to automatically identify and infect devices with cryptocurrency miners.

The initial malware package, ZombieBoy.dll, is delivered using the EternalBlue and DoublePulsar exploits, with potential targets identified using the WinEggDrop port scanner. Once this is installed several files are executed.

These are a sequence of executable files which initially download over 70 files These include the XMRig module, the exploits and a copy of itself on the device It obtains the user’s IP address, scans for new devices, downloads and execute a Gh0stRat variant the RAT that collects system and user information. Whilst remaining heavily encrypted.

The final RAT file is used to decrypt and install Loader.dll, another RAT that creates registry entries and runtime objects to ensure persistence.

Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 USD per month at current Monero prices.

ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.

ZombieBoy makes use of several exploits during execution:

Full technical report here

Indicators of Compromise / What To Block

URL’s

  • ca.posthash[.]org – HFS (http file server)
  • sm.posthash[.]org – HFS (http file server)
  • dns.posthash[.]org   – C2 server
  • sm[dot]hashnice[dot]org – HFS (http file server)
  • Minexmr[.]com – Old mine address
  • minexmr[.]org – Current mine address

Filenames

  • 64.exe
  • 74.exe
  • 84.exe
  • 123.exe
  • Netsyst96.dll
  • Loader.dll

MD5 File Hashes

  • 842133ddc2d57fd0f78491b7ba39a34d
  • 7327ef046fe62a26e5571c36b5c2c417
  • 785a7f6e1cd40b50ad788e5d7d3c8465
  • 79c6ead6fa4f4addd7f2f019716dd6ca
  • 38d7d4f6a712bff4ab212848802f5f9c
  • 6de21f2fd11d68b305b5e10d97b3f27e
  • 91ebe2de7fcb922c794a891ff8987124
  • 9a46a3ae2c3762964c5cbb63b62d7dee




ZombieBoyTools Screenshot

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: