After the never-ending fluctuations of the market, the crypto community may be in for some more bad news. According to an investigation performed by the independent security researcher James Quinn, a new crypto mining malware is currently on the prowl.
Dubbed ZombieBoy, the malware was gathering an average of $1000-worth of cryptocurrencies per month before its recent addresses were shut down. The report states that the malware can be traced back to the Monero mining pool MineXMR, and, due to the simplified mandarin it uses, it’s clear that it originated in China.
The malware’s name comes after the toolkit it uses called ZombieBoyTools. The kit was used as a deployment system for its first dynamic link library file, and it uses WinEggDrop to search for its next victims. The report also states that the malware’s most common target is Monero (XMR) and Zcash (ZEC).
How ZombieBoy works
The security researcher also discovered how the malware infects the target systems. The malware uses various weak points in the OS’ architecture such as:
- CVE-2017-9073, a Remote Desktop Protocol on ‘Windows XP’ and ‘Windows 2003’
- CVE-2017-0146 and CVE-2017-0143 Server Message Block
The malware is still very hard to detect since it uses various back-doors. In short, the malware uses EternalBlue and DoublePulsar, two of the best exploits developed by the National Security Agency (NSA). With their help, the malware can actually take control of a device.
Even more concerning is the fact that ZombieBoy allegedly connects with other mining programs such as Iron Tiger Apt, a version of Gh0stRAT, as well as other Chinese such apps.
Whether ZombieBoy will become a popular threat or not remains to be seen. Until then, both private and public system administrators might have their hands full with taking countermeasures to prevent infestation.