This is a guest post by independent security researcher James Quinn.

Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May. I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.

ZombieBoy, like MassMiner , is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily.

An overview of ZombieBoy’s execution is below:

Domains

ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads. The URLs that I have identified are below:

ca[dot]posthash[dot]org:443/

sm[dot]posthash[dot]org:443/

sm[dot]hashnice[dot]org:443/

In addition, it appears to have a C2 server at dns[dot]posthash[dot]org.

Exploits

ZombieBoy makes use of several exploits during execution:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003

CVE-2017-0143, SMB exploit

CVE-2017-0146, SMB exploit

Installation

ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT ) .

ZombieBoyTools screenshot

Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it.

Set up

123.exe does several things on execution. First, it downloads the module [1] from its file distribution servers. According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”. After saving the module, it executes it. 64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner.

In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules. The first module is referred to in the code as “74.exe”. This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.

The second module is referred to in the code as “84.exe”. This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin.

64.exe

64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable. First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult. Also, in current versions of ZombieBoy, it will detect a VM and subsequently not run.

64.exe drops 70+ files into C:\Windows\IIS that consists of the XMRIG miner, the exploits, as well as a copy of itself that it names CPUInfo.exe.

64.exe obtains the ip of the victim by connecting to ip[dot]3222[dot]net. It then uses WinEggDrop, a lightweight TCP scanner to scan the network to find more targets with port 445 open. It uses the IP obtained above as well as the local IP to spread to the local network as well as the public ip netrange

64.exe uses the DoublePulsar exploit to install both a SMB backdoor as well as an RDP backdoor.

DoublePulsar screenshot

In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.

A new address has been found, however, ZombieBoy no longer uses minexmr.com to mine.

Known Addresses:

42MiUXx8i49AskDATdAfkUGuBqjCL7oU1g7TsU3XCJg9Maac1mEEdQ2X9vAKqu1pvkFQUuZn2HEzaa5UaUkMMfJHU5N8UCw

49vZGV8x3bed3TiAZmNG9zHFXytGz45tJZ3g84rpYtw78J2UQQaCiH6SkozGKHyTV2Lkd7GtsMjurZkk8B9wKJ2uCAKdMLQ

Using strace, I found that 64.exe was obtaining information about the victim, such as enumerating the OS architecture.

74.exe

74.exe is the first module dropped by 123.exe, and the second module overall. In its base form, 74.exe is in charge of downloading, decrypting, and executing a Gh0stRat dll named NetSyst96.dll. In addition, 74.exe decrypts a series of arguments to be passed to Netsyst96.dll.

The arguments are as follows:

Dns.posthash.org 127.0.0.1 5742944442 YP_70608 ANqiki cmsuucs Aamqcygqqeqkia Fngzxzygdgkywoyvkxlpv ldv %ProgramFiles%/ Svchost.exe Add Eeie saswuk wso

Decryption Screenshot

Once 74.exe has decrypted the arguments, it checks if NetSyst96.dll has been downloaded and saved to C:\Program Files\AppPatch\mysqld.dll. It does this by calling CreateFileA with the CreationDisposition set to Open_Existing. If mysqld.dll is not found, 74.exe opens a connection to ca[dot]posthash[dot]org:443/ and downloads NetSyst96.dll, saving it as C:\Program Files\AppPatch\mysqld.dll.

NetSyst96.dll has 2 exported functions, DllFuUpgraddrs, and DllFuUpgraddrs1. After saving NetSyst96.dll as mysqld.dll, 74.exe locates DllFuUpgraddrs in NetSyst96.dll before calling it.

NetSyst96.dll

NetSyst96.dll is the called dll of 74.exe. Typically encrypted, an analysis of the decrypted files returns some interesting strings which can be used to identify it, such as “Game Over Good Luck By Wind”, “jingtisanmenxiachuanxiao.vbs”.

Strings screenshot showing some of the dropped files

NetSyst96.dll can capture the users screen, record audio, and even edit the clipboard. Also, a strings analysis revealed that it imports keyboard keys, typical of a keylogger. First, Netsyst96.dll obtains the Environment Strings path and uses that to create the path C:\Program files (x86)\svchost.exe. Next, using CreateToolhelp32Snapshot, NetSyst96.dll searches the running processes for Rundll32.exe in order to determine if it is the first time running the dll.

For first time run throughs, NetSyst96.dll does a couple things to maintain persistence

Saves a copy of 74.exe as C:\Program Files(x86)\svchost.exe

Registers “ANqiki cmsuucs” as a service using System/CurrentControlSet/Services/ANqiki cmsuucs When the service is launched, runs svchost.exe

Adds MARKTIME to the registry key, appending the time it was last launched.

Use a snapshot from CreateToolhelp32Snapshot to search the running processes for svchost.exe If not found, launch it and loop back to searching for svchost.exe If one is found, Save svchost.exe to Run If more than one is found, Call a function to create a vbs script to delete the extra svchost.exe



On Consecutive Run throughs, NetSyst96.dll is more concerned with connecting to the C2 server:

Locate and verify that “System/CurrentControlSet/Services/ANqiki cmsuucs” exists If it doesn’t exist, create the key like above If it does exist, continue on to step 2 Create event named “Eeie saswuk wso” Enumerate and change the input desktop Pass the C2 server Ip to C2URL (dns[dot]posthash[dot]org) Start WSA (winsock 2.0) Connect to www[dot]ip123[dot]com[dot]cn and obtain the ip of dns[dot]posthash[dot]org The actual IP is subject to change, however, it currently is 211.23.47[dot]186 Reset Event Connect to C2 Server and await commands

While the command that triggers this function is unknown, I did uncover a 31 option switch-case that seems to be the command options for NetSyst96.dll. See the Appendix for more indepth analysis of some of the 31 options.

84.exe

84.exe is the second module dropped by 123.exe, and the third module overall. Just like 74.exe, it appears to be a RAT. However, that is where the similarities stop. Unlike 74.exe, 84.exe does not need to download any additional libraries and instead decrypts and executes Loader.dll from its own memory. In addition, 84.exe uses a function to decrypt Loader.dll that involves throwing exceptions for every character that needs to be decrypted.

Additional run through information:

Sets the user’s environment strings to C:\Program Files(x86)\StormII\

In addition, once Loader.dll is called, 84.exe passes a series of variables to Loader.dll through a function called ‘Update’

Variables

ChDz0PYP8/oOBfMO0A/0B6Y= 0 6gkIBfkS+qY= dazsks fsdgsdf daac gssosjwayw |_+f+ fc45f7f71b30bd66462135d34f3b6c66 EQr8/KY= C:\Program Files(x86)\StormII Mssta.exe 0 Ccfcdaa Various integers

Of the strings passed to Loader.dll, 3 are encrypted. The decrypted strings are as follows

[ChDz0PYP8/oOBfMO0A/0B6Y=] = "dns[dot]posthash[dot]org" [6gkIBfkS+qY=] = "Default" [EQr8/KY=] = "mdzz"

Loader.dll

Loader.dll is a RAT with some interesting features, like the ability to search for the CPU write speed, as well as search the system for antiviruses.

Launched by 84.exe, the first thing Loader.dll does is obtain the variables from ‘Update’ in 84.exe. At this point, Loader.dll creates several important runtime objects:

Uninheritable, non-signaled, auto-reset event named Null, handle: 0x84

Thread to execute a function that manipulates DesktopInfo

An input Desktop with the handle 0x8C and the flag DF_ALLOWOTHERACCOUNTS, which is set as the desktop of the calling thread.

Loader.Dll then searches the system for “dazsks fsdgsdf” in SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf, which is used to determine if this is the first time running the malware.

First Time Run:

Loader.dll creates the service Dazsks Fsdgsdf with ImagePath = C:\Program Files(x86)\StormII\mssta.exe

Loader.dll attempts to run the newly created service. If the attempt is successful, continue to main loop. If not, exit.

Consequent run throughs:

Start services.exe with the argument Dazsks Fsdgsdf to start the service.

Continue to main loop mentioned in First Time Run

After checking for run through number, Loader.dll enters the main loop of the program.

Main loop run through:

Creates an uninheritable, auto-reset, nonsignaled event named ‘ccfcdaa’ with a handle of 0x8C.

Decrypt ChDz0PYP8/oOBfMO0A/0B6Y= to ‘dns[dot]posthash[dot]org’

Start the WinSock object

Create an uninheritable, unsignaled, manual-reset event object named null with the handle 0x90

Assembles Get Request: “Get /?ocid = iefvrt HTTP/1.1”

Connects to dns[dot]posthash[dot]org:5200

Obtains information about the OS using GetVersionEx

Load ntdll.dll and call RtlGetVersionNumbers

Saves System\CurrentControlSet\Services\(null) to the registry

Obtain socket name

Obtain the CPU refresh speed using Hardware\Description\System\CentralProcessor\

Calls GetVersion to obtain the system info

Calls GlobalMemoryStatusEx to obtain the status of the available global memory

Enumerate all available disk drives starting at ‘A:/’ using GetDriveTypeA

Obtain the total amount of free space available on each enumerated drive

Initialize the COM library

Appends the current time to the service ‘dazsks fsdgsdf’ with the marktime function

Obtain the system info of a system running under WOW64

Using a list of majority chinese AV software filenames and CreateToolHelp32Snapshot, to create a snapshot of running processes and then identify any running AV programs.

Decrypt EQr8/KY= to “mdzz”

Sends all the data obtained above to the C2 server at dns[dot]posthash[dot]org:5200

Mitigation

The best way to mitigate being hit by ZombieBoy is as always, avoidance in general, which is why I recommend updating your systems to their most recent update. Specifically, MS17-010 will fix the malware’s spreading capabilities.

If you are infected by ZombieBoy however, the first thing you should do is take a couple deep breaths. Next, I’d recommend scanning your system with an A/V software of your choice.

Once the scan has finished, you should find and end any open processes currently being run by ZombieBoy such as:

123.exe

64.exe

74.exe

84.exe

CPUinfo.exe

N.exe

S.exe

Svchost.exe (Note the file location. End any processes not originating from C:\Windows\System32)

In addition, delete the following registry keys:

SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf

SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc

Also, delete any files dropped by the malware such as:

C:\%WindowsDirectory%\sys.exe

C:\windows\%system%\boy.exe

C:\windows\IIS\cpuinfo.exe

All of the 70+ files dropped in IIS

C:\Program Files(x86)\svchost.exe

C:\Program Files\AppPatch\mysqld.dll

C:\Program Files(x86)\StormII\mssta.exe

C:\Program Files(x86)\StormII\*

Indicators of Compromise