|Entrada publicada el||19 | 07 | 2018|
Meet “ZombieBoy”, a new cryptomining malware worm that uses WinEggDrop instead of MassScan to…. search for new hosts and that is being almost continually updated. James Quinn explains how it works in a new Labs
Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May. I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.
ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily.
An overview of ZombieBoy’s execution is below:
ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads. The URLs that I have identified are below:
In addition, it appears to have a C2 server at dns[dot]posthash[dot]org.
ZombieBoy makes use of several exploits during execution:
ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .
Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it.
123.exe does several things on execution. First, it downloads the module  from its file distribution servers. According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”. After saving the module, it executes it. 64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner.
In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules. The first module is referred to in the code as “74.exe”. This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.
The second module is referred to in the code as “84.exe”. This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin.
64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable. First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult. Also, in current versions of ZombieBoy, it will detect a VM and subsequently not run.
64.exe drops 70+ files into C:\Windows\IIS that consists of the XMRIG miner, the exploits, as well as a copy of itself that it names CPUInfo.exe.
64.exe obtains the ip of the victim by connecting to ip[dot]3222[dot]net. It then uses WinEggDrop, a lightweight TCP scanner to scan the network to find more targets with port 445 open. It uses the IP obtained above as well as the local IP to spread to the local network as well as the public ip netrange
64.exe uses the DoublePulsar exploit to install both a SMB backdoor as well as an RDP backdoor.
In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.
A new address has been found, however, ZombieBoy no longer uses minexmr.com to mine.
Using strace, I found that 64.exe was obtaining information about the victim, such as enumerating the OS architecture.
74.exe is the first module dropped by 123.exe, and the second module overall. In its base form, 74.exe is in charge of downloading, decrypting, and executing a Gh0stRat dll named NetSyst96.dll. In addition, 74.exe decrypts a series of arguments to be passed to Netsyst96.dll.
The arguments are as follows:
Once 74.exe has decrypted the arguments, it checks if NetSyst96.dll has been downloaded and saved to C:\Program Files\AppPatch\mysqld.dll. It does this by calling CreateFileA with the CreationDisposition set to Open_Existing. If mysqld.dll is not found, 74.exe opens a connection to ca[dot]posthash[dot]org:443/ and downloads NetSyst96.dll, saving it as C:\Program Files\AppPatch\mysqld.dll.
NetSyst96.dll has 2 exported functions, DllFuUpgraddrs, and DllFuUpgraddrs1. After saving NetSyst96.dll as mysqld.dll, 74.exe locates DllFuUpgraddrs in NetSyst96.dll before calling it.
NetSyst96.dll is the called dll of 74.exe. Typically encrypted, an analysis of the decrypted files returns some interesting strings which can be used to identify it, such as “Game Over Good Luck By Wind”, “jingtisanmenxiachuanxiao.vbs”.
Strings screenshot showing some of the dropped files
NetSyst96.dll can capture the users screen, record audio, and even edit the clipboard. Also, a strings analysis revealed that it imports keyboard keys, typical of a keylogger. First, Netsyst96.dll obtains the Environment Strings path and uses that to create the path C:\Program files (x86)\svchost.exe. Next, using CreateToolhelp32Snapshot, NetSyst96.dll searches the running processes for Rundll32.exe in order to determine if it is the first time running the dll.
For first time run throughs, NetSyst96.dll does a couple things to maintain persistence
On Consecutive Run throughs, NetSyst96.dll is more concerned with connecting to the C2 server:
While the command that triggers this function is unknown, I did uncover a 31 option switch-case that seems to be the command options for NetSyst96.dll. See the Appendix for more indepth analysis of some of the 31 options.
84.exe is the second module dropped by 123.exe, and the third module overall. Just like 74.exe, it appears to be a RAT. However, that is where the similarities stop. Unlike 74.exe, 84.exe does not need to download any additional libraries and instead decrypts and executes Loader.dll from its own memory. In addition, 84.exe uses a function to decrypt Loader.dll that involves throwing exceptions for every character that needs to be decrypted.
Additional run through information:
In addition, once Loader.dll is called, 84.exe passes a series of variables to Loader.dll through a function called ‘Update’
Of the strings passed to Loader.dll, 3 are encrypted. The decrypted strings are as follows
Loader.dll is a RAT with some interesting features, like the ability to search for the CPU write speed, as well as search the system for antiviruses.
Launched by 84.exe, the first thing Loader.dll does is obtain the variables from ‘Update’ in 84.exe. At this point, Loader.dll creates several important runtime objects:
Loader.Dll then searches the system for “dazsks fsdgsdf” in SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf, which is used to determine if this is the first time running the malware.
First Time Run:
Consequent run throughs:
After checking for run through number, Loader.dll enters the main loop of the program.
Main loop run through:
The best way to mitigate being hit by ZombieBoy is as always, avoidance in general, which is why I recommend updating your systems to their most recent update. Specifically, MS17-010 will fix the malware’s spreading capabilities.
If you are infected by ZombieBoy however, the first thing you should do is take a couple deep breaths. Next, I’d recommend scanning your system with an A/V software of your choice.
Once the scan has finished, you should find and end any open processes currently being run by ZombieBoy such as:
In addition, delete the following registry keys:
Also, delete any files dropped by the malware such as: