ZombieBoy

July 18, 2018 | James Quinn
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

This is a guest post by independent security researcher James Quinn.

Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.

ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily.

An overview of ZombieBoy’s execution is below:

Domains

ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.  The URLs that I have identified are below:

  • ca[dot]posthash[dot]org:443/
  • sm[dot]posthash[dot]org:443/
  • sm[dot]hashnice[dot]org:443/

In addition, it appears to have a C2 server at dns[dot]posthash[dot]org.

Exploits

ZombieBoy makes use of several exploits during execution:

  • CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
  • CVE-2017-0143, SMB exploit
  • CVE-2017-0146, SMB exploit

Installation

ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) . 

ZombieBoyTools screenshot

Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it.

Set up

123.exe does several things on execution.  First, it downloads the module [1] from its file distribution servers.  According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”.   After saving the module, it executes it.  64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner.

In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules.  The first module is referred to in the code as “74.exe”.  This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT. 

The second module is referred to in the code as “84.exe”.  This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin.

64.exe

64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable.  First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult.  Also, in current versions of ZombieBoy, it will detect a VM and subsequently not run. 

64.exe drops 70+ files into C:\Windows\IIS that consists of the XMRIG miner, the exploits, as well as a copy of itself that it names CPUInfo.exe. 

64.exe obtains the ip of the victim by connecting to ip[dot]3222[dot]net.  It then uses WinEggDrop, a lightweight TCP scanner to scan the network to find more targets with port 445 open.  It uses the IP obtained above as well as the local IP to spread to the local network as well as the public ip netrange

64.exe uses the DoublePulsar exploit to install both a SMB backdoor as well as an RDP backdoor.

DoublePulsar screenshot

In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.

A new address has been found, however, ZombieBoy no longer uses minexmr.com to mine.

Known Addresses:

  • 42MiUXx8i49AskDATdAfkUGuBqjCL7oU1g7TsU3XCJg9Maac1mEEdQ2X9vAKqu1pvkFQUuZn2HEzaa5UaUkMMfJHU5N8UCw
  • 49vZGV8x3bed3TiAZmNG9zHFXytGz45tJZ3g84rpYtw78J2UQQaCiH6SkozGKHyTV2Lkd7GtsMjurZkk8B9wKJ2uCAKdMLQ

Using strace, I found that 64.exe was obtaining information about the victim, such as enumerating the OS architecture.

74.exe

74.exe is the first module dropped by 123.exe, and the second module overall.  In its base form, 74.exe is in charge of downloading, decrypting, and executing a Gh0stRat dll named NetSyst96.dll.  In addition, 74.exe decrypts a series of arguments to be passed to Netsyst96.dll. 

The arguments are as follows:

  1. Dns.posthash.org
  2. 127.0.0.1
  3. 5742944442
  4. YP_70608
  5. ANqiki cmsuucs
  6. Aamqcygqqeqkia
  7. Fngzxzygdgkywoyvkxlpv ldv
  8. %ProgramFiles%/
  9. Svchost.exe
  10. Add
  11. Eeie saswuk wso

Decryption Screenshot

Once 74.exe has decrypted the arguments, it checks if NetSyst96.dll has been downloaded and saved to C:\Program Files\AppPatch\mysqld.dll.  It does this by calling CreateFileA with the CreationDisposition set to Open_Existing.  If mysqld.dll is not found, 74.exe opens a connection to ca[dot]posthash[dot]org:443/ and downloads NetSyst96.dll, saving it as C:\Program Files\AppPatch\mysqld.dll.

NetSyst96.dll has 2 exported functions, DllFuUpgraddrs, and DllFuUpgraddrs1.  After saving NetSyst96.dll as mysqld.dll, 74.exe locates DllFuUpgraddrs in NetSyst96.dll before calling it.

NetSyst96.dll

NetSyst96.dll is the called dll of 74.exe.  Typically encrypted, an analysis of the decrypted files returns some interesting strings which can be used to identify it, such as “Game Over Good Luck By Wind”, “jingtisanmenxiachuanxiao.vbs”.

Strings screenshot showing some of the dropped files

NetSyst96.dll can capture the users screen, record audio, and even edit the clipboard.  Also, a strings analysis revealed that it imports keyboard keys, typical of a keylogger.  First, Netsyst96.dll obtains the Environment Strings path and uses that to create the path C:\Program files (x86)\svchost.exe. Next, using CreateToolhelp32Snapshot, NetSyst96.dll searches the running processes for Rundll32.exe in order to determine if it is the first time running the dll. 

For first time run throughs, NetSyst96.dll does a couple things to maintain persistence

  • Saves a copy of 74.exe as C:\Program Files(x86)\svchost.exe
  • Registers “ANqiki cmsuucs” as a service using System/CurrentControlSet/Services/ANqiki cmsuucs
    • When the service is launched, runs svchost.exe
  • Adds MARKTIME to the registry key, appending the time it was last launched.
  • Use a snapshot from CreateToolhelp32Snapshot to search the running processes for svchost.exe
    • If not found, launch it and loop back to searching for svchost.exe
    • If one is found, Save svchost.exe to Run
    • If more than one is found, Call a function to create a vbs script to delete the extra svchost.exe

On Consecutive Run throughs, NetSyst96.dll is more concerned with connecting to the C2 server:

  1. Locate and verify that “System/CurrentControlSet/Services/ANqiki cmsuucs” exists
    1. If it doesn’t exist, create the key like above
    2. If it does exist, continue on to step 2
  2. Create event named “Eeie saswuk wso”
  3. Enumerate and change the input desktop
  4. Pass the C2 server Ip to C2URL (dns[dot]posthash[dot]org)
  5. Start WSA (winsock 2.0)
  6. Connect to www[dot]ip123[dot]com[dot]cn and obtain the ip of dns[dot]posthash[dot]org
    1. The actual IP is subject to change, however, it currently is 211.23.47[dot]186
  7. Reset Event
  8. Connect to C2 Server and await commands

While the command that triggers this function is unknown, I did uncover a 31 option switch-case that seems to be the command options for NetSyst96.dll.  See the Appendix for more indepth analysis of some of the 31 options.

84.exe

84.exe is the second module dropped by 123.exe, and the third module overall.  Just like 74.exe, it appears to be a RAT.  However, that is where the similarities stop.  Unlike 74.exe, 84.exe does not need to download any additional libraries and instead decrypts and executes Loader.dll from its own memory.  In addition, 84.exe uses a function to decrypt Loader.dll that involves throwing exceptions for every character that needs to be decrypted. 

Additional run through information:

  • Sets the user’s environment strings to C:\Program Files(x86)\StormII\

In addition, once Loader.dll is called, 84.exe passes a series of variables to Loader.dll through a function called ‘Update’

Variables

  1. ChDz0PYP8/oOBfMO0A/0B6Y=
  2. 0
  3. 6gkIBfkS+qY=
  4. dazsks fsdgsdf
  5. daac gssosjwayw
  6. |_+f+
  7. fc45f7f71b30bd66462135d34f3b6c66
  8. EQr8/KY=
  9. C:\Program Files(x86)\StormII
  10. Mssta.exe
  11. 0
  12. Ccfcdaa
  13. Various integers

Of the strings passed to Loader.dll, 3 are encrypted.  The decrypted strings are as follows

  1. [ChDz0PYP8/oOBfMO0A/0B6Y=] = "dns[dot]posthash[dot]org"
  2. [6gkIBfkS+qY=] = "Default"
  3. [EQr8/KY=] = "mdzz"

Loader.dll

Loader.dll is a RAT with some interesting features, like the ability to search for the CPU write speed, as well as search the system for antiviruses.

Launched by 84.exe, the first thing Loader.dll does is obtain the variables from ‘Update’ in 84.exe.  At this point, Loader.dll creates several important runtime objects:

  • Uninheritable, non-signaled, auto-reset event named Null, handle: 0x84
  • Thread to execute a function that manipulates DesktopInfo
  • An input Desktop with the handle 0x8C and the flag DF_ALLOWOTHERACCOUNTS, which is set as the desktop of the calling thread.

Loader.Dll then searches the system for “dazsks fsdgsdf” in SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf, which is used to determine if this is the first time running the malware. 

First Time Run:

  • Loader.dll creates the service Dazsks Fsdgsdf with ImagePath = C:\Program Files(x86)\StormII\mssta.exe
  • Loader.dll attempts to run the newly created service.  If the attempt is successful, continue to main loop.  If not, exit.

Consequent run throughs:

  • Start services.exe with the argument Dazsks Fsdgsdf to start the service. 
  • Continue to main loop mentioned in First Time Run

After checking for run through number, Loader.dll enters the main loop of the program. 

Main loop run through:

  • Creates an uninheritable, auto-reset, nonsignaled event named ‘ccfcdaa’ with a handle of 0x8C. 
  • Decrypt ChDz0PYP8/oOBfMO0A/0B6Y= to ‘dns[dot]posthash[dot]org’
  • Start the WinSock object
  • Create an uninheritable, unsignaled, manual-reset event object named null with the handle 0x90
  • Assembles Get Request: “Get /?ocid = iefvrt HTTP/1.1”
  • Connects to dns[dot]posthash[dot]org:5200
  • Obtains information about the OS using GetVersionEx
  • Load ntdll.dll and call RtlGetVersionNumbers
  • Saves System\CurrentControlSet\Services\(null) to the registry
  • Obtain socket name
  • Obtain the CPU refresh speed using Hardware\Description\System\CentralProcessor\
  • Calls GetVersion to obtain the system info
  • Calls GlobalMemoryStatusEx to obtain the status of the available global memory
  • Enumerate all available disk drives starting at ‘A:/’ using GetDriveTypeA
  • Obtain the total amount of free space available on each enumerated drive
  • Initialize the COM library
  • Appends the current time to the service ‘dazsks fsdgsdf’ with the marktime function
  • Obtain the system info of a system running under WOW64
  • Using a list of majority chinese AV software filenames and CreateToolHelp32Snapshot, to create a snapshot of running processes and then identify any running AV programs.
  • Decrypt EQr8/KY= to “mdzz”
  • Sends all the data obtained above to the C2 server at dns[dot]posthash[dot]org:5200

Mitigation

The best way to mitigate being hit by ZombieBoy is as always, avoidance in general, which is why I recommend updating your systems to their most recent update.  Specifically, MS17-010 will fix the malware’s spreading capabilities.

If you are infected by ZombieBoy however, the first thing you should do is take a couple deep breaths.  Next, I’d recommend scanning your system with an A/V software of your choice.

Once the scan has finished, you should find and end any open processes currently being run by ZombieBoy such as:

  • 123.exe
  • 64.exe
  • 74.exe
  • 84.exe
  • CPUinfo.exe
  • N.exe
  • S.exe
  • Svchost.exe (Note the file location.  End any processes not originating from C:\Windows\System32)

In addition, delete the following registry keys:

  • SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf
  • SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc

Also, delete any files dropped by the malware such as:

  • C:\%WindowsDirectory%\sys.exe
  • C:\windows\%system%\boy.exe
  • C:\windows\IIS\cpuinfo.exe
  • All of the 70+ files dropped in IIS
  • C:\Program Files(x86)\svchost.exe
  • C:\Program Files\AppPatch\mysqld.dll
  • C:\Program Files(x86)\StormII\mssta.exe
  • C:\Program Files(x86)\StormII\*

Indicators of Compromise

Samples

MD5

Size

IP

IOC

ZombieBoy[Main Dll]

842133ddc2d57fd0f78491b7ba39a34d

82.4kb

-

-

123.exe

7327ef046fe62a26e5571c36b5c2c417

782.3kb

Downloaded From:

ca.posthash[dot]org:443

C:\%WindowsDirectory%\sys.exe

[Injector123]

785a7f6e1cd40b50ad788e5d7d3c8465

437.9kb

-

-

64.exe

79c6ead6fa4f4addd7f2f019716dd6ca

 

6.4MB

Mining Server:

Minexmr.com

 

Downloaded From

ca.posthash[dot]org:443/

sm.posthash[dot]org:443/

C:\windows\%system%\boy.exe

C:\windows\IIS\cpuinfo.exe

Necessary files for exploits and WinEggDrop into C:\windows\IIS

74.exe

 

38d7d4f6a712bff4ab212848802f5f9c

 

9.7kb

C2 server:

dns.posthash[dot]org:52009/

C:\Program Files(x86)\svchost.exe

 

SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc

 

Netsyst96.dll

 

6de21f2fd11d68b305b5e10d97b3f27e

 

1.0MB

Downloaded From

ca.posthash[dot]org:443/

 

C2 server:

Dns.posthash[dot]org:52009/

C:\Program Files\AppPatch\mysqld.dll,

 

84.exe

 

91ebe2de7fcb922c794a891ff8987124

334.7kb

 

C2 Server:

dns.posthash[dot]org:5200/

 

C:\Program Files(x86)\StormII\mssta.exe

 

SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf

 

C:\Program Files(x86)\StormII\*

 

Loader.dll

 

9a46a3ae2c3762964c5cbb63b62d7dee

135.2kb

C2 Server:

dns.posthash[dot]org:5200/

 

SYSTEM/CurrentControlSet/Services/(null);

 

Files Queried:

 

Hardware\Description\System\CentralProcessor\ ;  SYSTEM/CurrentControlSet/Services/BITS;

James Quinn

About the Author: James Quinn
James has been programming since he was 12 but didn't become interested in Cybersecurity until around 16. He's now finishing his 3rd semester for a Cybersecurity associate's degree. In James' free time, he analyzes malware dropped on his dionaea honeypot and would consider himself an amateur photographer.
Read more posts from James Quinn ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL