ZombieBoy Cryptocurrency RAT and Worm

ZombieBoy is a collection of remote access trojans (RAT) used to automatically identify and infect devices with cryptocurrency miners.

Threat ID:: CC-2546
Category:: Worm, Trojan
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 23 July 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

ZombieBoy is a collection of remote access trojans (RAT) used to automatically identify and infect devices with cryptocurrency miners.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

The initial malware package, ZombieBoy.dll, is delivered using the EternalBlue and DoublePulsar exploits, with potential targets identified using the WinEggDrop port scanner. Once this is installed a number of files are executed:

123.exe is downloaded first and is responsible for executing 64.exe, and dropping and executing 74.exe and 84.exe.
64.exe is the primary module responsible for downloading over 70 files including an XMRig module, the exploits and a copy of itself on the device. It will then obtain the user's IP address and begin scanning for new devices both locally and on the internet to infect. It is heavily encrypted and will not execute if it detects it is running in a virtual machine.
74.exe will download and execute a Gh0stRat variant called Netsyst96.dll and handle any commands passed to it.
Netsyst96.dll is RAT that collects system and user information. It requires additional libraries in order for it to function.
84.exe is RAT that is used to decrypt and install Loader.dll, another RAT that creates registry entries and runtime objects to ensure persistence.

For further information

Remediation steps

Type	Step
	Both the EternalBlue and DoublePulsar exploits are addressed in Microsoft's MS17-010 security bulletin. Users are advised to install this update immediately if they have not already done so. Additionally, to prevent and detect a trojan infection ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

Both the EternalBlue and DoublePulsar exploits are addressed in Microsoft's MS17-010 security bulletin. Users are advised to install this update immediately if they have not already done so.

Additionally, to prevent and detect a trojan infection ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

CVE-2017-0143

CVE-2017-0146

CVE-2017-9073

Last edited: 3 September 2021 11:33 am