New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

ZombieBoy Cryptominer has a backdoor and exploits multiple vulnerabilities

A new cryptomining malware, unofficially titled ZombieBoy, is active and exploiting numerous vulnerabilities in an effort to increase the likelihood of infection.  Similar to WannaCry, it exploits CVE-2017-0143 and CVE-2017-0146, DoublePulsar and EternalBlue respectively.  These two exploits look for open SMB (445) ports and exploits those that are unpatched.  It also exploits CVE-2017-9073, which is a remote desktop protocol (3389) vulnerability on Windows XP and Server 2003.

It is likely that hackers behind ZombieBoy are Chinese.  The malware uses simplified mandarin characters and appears to be tied to other Chinese malware such as IRON TIGER and GH0ST remote access tools.  The similarities between these tools suggests that tool is likely being employed by a known Chinese actor group – though which one has not yet been determined.  It also shows how Chinese hackers are continuing to evolve their methodologies and attack repertoire through adding cryptomining to its arsenal.

What really makes this cryptominer unique and a bit scarier though is because it is closely related to the aforementioned malware, which means it appears to have both persistence mechanisms and multiple backdoors built in which may allow remote access to the infected computer.

Up to this point, nearly all cryptomining malware is fairly similar and has just one purpose: mining cryptocurrency.  This has served hackers well because it generates money, is a bit more difficult to for security teams to identify, and is a lower risk to victims because there is no data loss and limited to no direct access to internal networks. As a result, security teams may feel less of an immediate need to act and it largely keeps law enforcement at bay (as opposed to Ransomware which is loud, public, and gets everyone riled up).  To some security teams, cryptomining is little more of a concern than a simple rootkit infecting a computer.  They simply wipe the computer and feel the threat is mitigated.

However, ZombieBoy may change that dynamic.  A cryptominer that enables both persistence and remote access increases cryptomining malware severity and risk exponentially.  If it opens a path to hackers accessing the internal network and for mass data loss, security teams are going to take the threat far more seriously.

How to Protect Yourself

     First, patch your systems.  This malware exploits three known and patched vulnerabilities.  There is no excuse for organizations to have devices that are still vulnerable to DoublePulsar or EternalBlue after last year’s massive WannaCry and NotPetya outbreaks.

     Second, do all you can to remove WindowsXP and Server 2003 devices from your network. We recognize that there are one-off instances where organizations have critical business applications on such systems and even the most minor disruption is unacceptable, but in 2018 these should be few and far between. If you have such devices, do all you can to update them to the latest operating systems.

     Third, employ security monitoring and detection.  At Security On-Demand, our ThreatWatch platform is specifically tailored to identify and alert on cryptomining infections. Whether using a managed service such as ours or managing your own SIEM in-house, ensure you have rules in place to identify cryptomining, including alerting on key indicators of compromise.

     Fourth, cryptocurrency mining is not only a tool of hackers, but you may have employees that are using their work computers to mine crypto for them while they work.  While they are not using ZombieBoy to do this, having an anti-Cryptocurrency Mining policy included in your security policy library and training staff about this will decrease your exposure.

What we are doing at SOD

At Security On-Demand we have numerous rules and alerts in place to identify crypto-currency mining. In fact, we produce multiple notifications per week informing customers of such potential infections. We also have strong rules in place to identify rogue RDP (3389) and SMB (445) activity. As we discover indicators related ZombieBoy or additional indicators for cryptocurrencies we will monitor and alert on them.

About Security On-Demand

Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.

Back to the Blog   Subscribe to the Blog