This is a guest post by independent security researcher James Quinn.
Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May. I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.
ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily.
An overview of ZombieBoy’s execution is below:
ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads. The URLs that I have identified are below:
In addition, it appears to have a C2 server at dns[dot]posthash[dot]org.
ZombieBoy makes use of several exploits during execution:
- CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
- CVE-2017-0143, SMB exploit
- CVE-2017-0146, SMB exploit
ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .
Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it.
123.exe does several things on execution. First, it downloads the module  from its file distribution servers. According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”. After saving the module, it executes it. 64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner.
In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules. The first module is referred to in the code as “74.exe”. This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.
The second module is referred to in the code as “84.exe”. This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin.
64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable. First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult. Also, in current versions of ZombieBoy, it will detect a VM and subsequently not run.
64.exe drops 70+ files into C:\Windows\IIS that consists of the XMRIG miner, the exploits, as well as a copy of itself that it names CPUInfo.exe.
64.exe obtains the ip of the victim by connecting to ip[dot]3222[dot]net. It then uses WinEggDrop, a lightweight TCP scanner to scan the network to find more targets with port 445 open. It uses the IP obtained above as well as the local IP to spread to the local network as well as the public ip netrange
64.exe uses the DoublePulsar exploit to install both a SMB backdoor as well as an RDP backdoor.
In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.
A new address has been found, however, ZombieBoy no longer uses minexmr.com to mine.
Using strace, I found that 64.exe was obtaining information about the victim, such as enumerating the OS architecture.
74.exe is the first module dropped by 123.exe, and the second module overall. In its base form, 74.exe is in charge of downloading, decrypting, and executing a Gh0stRat dll named NetSyst96.dll. In addition, 74.exe decrypts a series of arguments to be passed to Netsyst96.dll.
The arguments are as follows:
- ANqiki cmsuucs
- Fngzxzygdgkywoyvkxlpv ldv
- Eeie saswuk wso
Once 74.exe has decrypted the arguments, it checks if NetSyst96.dll has been downloaded and saved to C:\Program Files\AppPatch\mysqld.dll. It does this by calling CreateFileA with the CreationDisposition set to Open_Existing. If mysqld.dll is not found, 74.exe opens a connection to ca[dot]posthash[dot]org:443/ and downloads NetSyst96.dll, saving it as C:\Program Files\AppPatch\mysqld.dll.
NetSyst96.dll has 2 exported functions, DllFuUpgraddrs, and DllFuUpgraddrs1. After saving NetSyst96.dll as mysqld.dll, 74.exe locates DllFuUpgraddrs in NetSyst96.dll before calling it.
NetSyst96.dll is the called dll of 74.exe. Typically encrypted, an analysis of the decrypted files returns some interesting strings which can be used to identify it, such as “Game Over Good Luck By Wind”, “jingtisanmenxiachuanxiao.vbs”.
Strings screenshot showing some of the dropped files
NetSyst96.dll can capture the users screen, record audio, and even edit the clipboard. Also, a strings analysis revealed that it imports keyboard keys, typical of a keylogger. First, Netsyst96.dll obtains the Environment Strings path and uses that to create the path C:\Program files (x86)\svchost.exe. Next, using CreateToolhelp32Snapshot, NetSyst96.dll searches the running processes for Rundll32.exe in order to determine if it is the first time running the dll.
For first time run throughs, NetSyst96.dll does a couple things to maintain persistence
- Saves a copy of 74.exe as C:\Program Files(x86)\svchost.exe
- Registers “ANqiki cmsuucs” as a service using System/CurrentControlSet/Services/ANqiki cmsuucs
- When the service is launched, runs svchost.exe
- Adds MARKTIME to the registry key, appending the time it was last launched.
- Use a snapshot from CreateToolhelp32Snapshot to search the running processes for svchost.exe
- If not found, launch it and loop back to searching for svchost.exe
- If one is found, Save svchost.exe to Run
- If more than one is found, Call a function to create a vbs script to delete the extra svchost.exe
On Consecutive Run throughs, NetSyst96.dll is more concerned with connecting to the C2 server:
- Locate and verify that “System/CurrentControlSet/Services/ANqiki cmsuucs” exists
- If it doesn’t exist, create the key like above
- If it does exist, continue on to step 2
- Create event named “Eeie saswuk wso”
- Enumerate and change the input desktop
- Pass the C2 server Ip to C2URL (dns[dot]posthash[dot]org)
- Start WSA (winsock 2.0)
- Connect to www[dot]ip123[dot]com[dot]cn and obtain the ip of dns[dot]posthash[dot]org
- The actual IP is subject to change, however, it currently is 211.23.47[dot]186
- Reset Event
- Connect to C2 Server and await commands
While the command that triggers this function is unknown, I did uncover a 31 option switch-case that seems to be the command options for NetSyst96.dll. See the Appendix for more indepth analysis of some of the 31 options.
84.exe is the second module dropped by 123.exe, and the third module overall. Just like 74.exe, it appears to be a RAT. However, that is where the similarities stop. Unlike 74.exe, 84.exe does not need to download any additional libraries and instead decrypts and executes Loader.dll from its own memory. In addition, 84.exe uses a function to decrypt Loader.dll that involves throwing exceptions for every character that needs to be decrypted.
Additional run through information:
- Sets the user’s environment strings to C:\Program Files(x86)\StormII\
In addition, once Loader.dll is called, 84.exe passes a series of variables to Loader.dll through a function called ‘Update’
- dazsks fsdgsdf
- daac gssosjwayw
- C:\Program Files(x86)\StormII
- Various integers
Of the strings passed to Loader.dll, 3 are encrypted. The decrypted strings are as follows
- [ChDz0PYP8/oOBfMO0A/0B6Y=] = "dns[dot]posthash[dot]org"
- [6gkIBfkS+qY=] = "Default"
- [EQr8/KY=] = "mdzz"
Loader.dll is a RAT with some interesting features, like the ability to search for the CPU write speed, as well as search the system for antiviruses.
Launched by 84.exe, the first thing Loader.dll does is obtain the variables from ‘Update’ in 84.exe. At this point, Loader.dll creates several important runtime objects:
- Uninheritable, non-signaled, auto-reset event named Null, handle: 0x84
- Thread to execute a function that manipulates DesktopInfo
- An input Desktop with the handle 0x8C and the flag DF_ALLOWOTHERACCOUNTS, which is set as the desktop of the calling thread.
Loader.Dll then searches the system for “dazsks fsdgsdf” in SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf, which is used to determine if this is the first time running the malware.
First Time Run:
- Loader.dll creates the service Dazsks Fsdgsdf with ImagePath = C:\Program Files(x86)\StormII\mssta.exe
- Loader.dll attempts to run the newly created service. If the attempt is successful, continue to main loop. If not, exit.
Consequent run throughs:
- Start services.exe with the argument Dazsks Fsdgsdf to start the service.
- Continue to main loop mentioned in First Time Run
After checking for run through number, Loader.dll enters the main loop of the program.
Main loop run through:
- Creates an uninheritable, auto-reset, nonsignaled event named ‘ccfcdaa’ with a handle of 0x8C.
- Decrypt ChDz0PYP8/oOBfMO0A/0B6Y= to ‘dns[dot]posthash[dot]org’
- Start the WinSock object
- Create an uninheritable, unsignaled, manual-reset event object named null with the handle 0x90
- Assembles Get Request: “Get /?ocid = iefvrt HTTP/1.1”
- Connects to dns[dot]posthash[dot]org:5200
- Obtains information about the OS using GetVersionEx
- Load ntdll.dll and call RtlGetVersionNumbers
- Saves System\CurrentControlSet\Services\(null) to the registry
- Obtain socket name
- Obtain the CPU refresh speed using Hardware\Description\System\CentralProcessor\
- Calls GetVersion to obtain the system info
- Calls GlobalMemoryStatusEx to obtain the status of the available global memory
- Enumerate all available disk drives starting at ‘A:/’ using GetDriveTypeA
- Obtain the total amount of free space available on each enumerated drive
- Initialize the COM library
- Appends the current time to the service ‘dazsks fsdgsdf’ with the marktime function
- Obtain the system info of a system running under WOW64
- Using a list of majority chinese AV software filenames and CreateToolHelp32Snapshot, to create a snapshot of running processes and then identify any running AV programs.
- Decrypt EQr8/KY= to “mdzz”
- Sends all the data obtained above to the C2 server at dns[dot]posthash[dot]org:5200
The best way to mitigate being hit by ZombieBoy is as always, avoidance in general, which is why I recommend updating your systems to their most recent update. Specifically, MS17-010 will fix the malware’s spreading capabilities.
If you are infected by ZombieBoy however, the first thing you should do is take a couple deep breaths. Next, I’d recommend scanning your system with an A/V software of your choice.
Once the scan has finished, you should find and end any open processes currently being run by ZombieBoy such as:
- Svchost.exe (Note the file location. End any processes not originating from C:\Windows\System32)
In addition, delete the following registry keys:
- SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf
- SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc
Also, delete any files dropped by the malware such as:
- All of the 70+ files dropped in IIS
- C:\Program Files(x86)\svchost.exe
- C:\Program Files\AppPatch\mysqld.dll
- C:\Program Files(x86)\StormII\mssta.exe
- C:\Program Files(x86)\StormII\*
Indicators of Compromise
Necessary files for exploits and WinEggDrop into C:\windows\IIS
Hardware\Description\System\CentralProcessor\ ; SYSTEM/CurrentControlSet/Services/BITS;