0x1 Overview Tencent Yujian Threat Intelligence Center recently detected the latest activity of the mining Trojan family spread by ZombieboyTools. The Trojan modified the public hacking tool ZombieboyTools, and then packaged and used the NSA attack module in it to attack public and intranet IPs, and executed the Payload file x86/x64.dll on the infected machine, further implanting mining and RAT (remote access control) Trojans.
Vulnerability scanning attack tool ZombieboyTools
Tencent's Yujian Threat Intelligence Center disclosed the Zombieboy Trojan intelligence in December 2017, and its competitors also released related intelligence in May and July 2018.
In this report, we first analyze the C2 domain name fq520000.com and its samples registered and used by hackers on August 14, 2018. Then, by comparing the attack methods, malicious code features, C2 domain name, IP, and port features of the Zombieboy Trojan in several rounds of attacks, we infer that the source of the attacks belongs to the same gang, which is namedthe ZombieboyMiner gang. Tencent Yujian Threat Intelligence Center monitored and found that the ZombieboyMiner Trojan has infected about 70,000 computers, and monitoring data shows that the virus is very active.
AnchachaZombieboyMiner controls 70,000 computers to mine Monero Mini Programs
Infected computers are distributed all over the country, with Guangdong, Jiangsu and Zhejiang ranking the top three.
Tencent Antu Advanced Threat Tracing System Query Gang Information
0x2 Detailed Analysis
The ZombieboyMiner attack process is as follows:
ZombieboyMiner attack process
Las.exe analysis <br />After running, it releases the port scanning tool, NSA exploit attack tool, and payload program to C: \windows\IIS directory. Then use the port scanning tool to scan the machines with open port 445 in the LAN, and then use the NSA tool to inject the payload (x86.dll or x64.dll) into the machines in the LAN that have not yet fixed the MS17-010 vulnerability.
Sample release file
445 port scanning batch file
EternalBlue Configuration File
Doublepulsar Configuration File
Payload Analysis The payload (x86.dll or x64.dll) downloads 123.exe from the C2 address ca.fq520000.com and executes it locally under the name sys.exe.
Payload behavior
sys.exe analysis sys.exe downloads sm.fq520000.com:443:/1 and executes it with the file name las.exe
sys.exe behavior
At the same time, obtain the URL address from sm.fq520000.com:443:/A.TXT, use this address to download the RAT (Remote Access Control Trojan) and execute it with the file name 84.exe (currently 1.exe, 4~9.exe can be downloaded).
A. TXT content
CPUInfo.exe Analysis CPUInfo.exe uses the Windows system program Srvany.exe to start up, and then acts as the main program to launch the attack process and the mining process.
White use Srvany.exe to start
svsohst.exe analysis svsohst.ex is responsible for starting the Monero mining program crss.exe. Before starting the mining machine, it sets the mining pool address ad0.fq520000.com and the wallet.
44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS is used as the mining parameter, and then the mining process is started through ShellExecute.
Set mining parameters
ShellExecute starts the mining machine
crss.exe analysis crss.exe is a mining program compiled using the open source mining program XMRig 2.8.1.
Mining machine code
84.exe Analysis
The file copies itself to C:\Windows\System32\seser.exe, sets its hidden attribute and installs it as a service dazsks gmeakjwxo so that it can be started at boot.
RAT installation service starts automatically
Then the DLL file is decrypted and loaded for execution. The DLL file is actually the Zegost Trojan. After running, it will collect keystroke information and software installation information and send them to the C2 address dns.fq520000.org. It also has functions such as screen control and installation of executable files.
Detect antivirus software
Get key information
Decrypting C2 address
Communicating with C2
Sending and receiving messages
Receive and decrypt data
0x3 Correlation Analysis We organized the early Zombieboy analysis reports released by Tencent Yujian since September 2017, the Zombieboy analysis reports released by competitors, and the NSASrvanyMiner analysis reports released by competitors into a timeline, and furtherconcluded through the consistency of attack methods, malicious code characteristics, C2 domain names and IP, and port characteristics: the attacks launched by the recently discovered and disclosed Zombieboy Trojans come from the same group.
Zombieboy Trojan Activity
0x3.1 Comparison of attack methods In several attacks, the hacker tool Zombieboy was used to modify the NSA attack program. After the attack was successful, the payload file X86/X64.dll was executed, and the PDB information of the payload file contained the feature "Zombieboy".
At the same time, the payload code downloads 123.exe from the C2 address and executes it locally with the file name sys.exe, and then uses sys.exe as the Loader program to download its malicious components. After the Trojan enters the target machine, in addition to spreading attacks, the malicious behaviors include mining and installing RAT.
Zombieboy Trojan PDB
Payload code comparison
0x3.2 C2 Domain Name Comparison 0x3.2.1 Second-level domain name characteristics C2 domain names are named with characters such as dns, ca, sm, ms, note, stop, etc. as secondary domain name prefixes.
C2 Domain List
In addition, the first-level C2 domain names registered from 2018.02.27 to 2018.05.21 have the characteristics of "AB, BA" in structure, such as posthash.org and hashpost.org, hashnice.org and nicehash (used as second-level domain name prefixes). 0x3.2.2 Domain name resolution IP address The C2 domain names registered after 2018.02.27 have all been resolved to 59.125.179.217/211.23.160.235. The IP location is shown as Banqiao District, New Taipei City, Taiwan. The fact that these domain names point to the same IP address at the same time indicates that they have a certain connection.
Reverse domain name
0x3.2.3 HFS port characteristics <br />HFS services used for Trojan downloads all use port 344/443. The port of the HFS service can be specified by the author at will. The use of the same or similar ports in these attacks may be the continuation of the same author's usage habits. Parent Trojan download URL:
0x4 Summary Based on the group's attack methods, the types of malicious programs they spread, and the consistency of information such as IP, domain names, and ports used during the attack, we believe that the multiple rounds of attacks launched using Zombieboy since September 2017 came from the same group.
The gang constantly updates the C2 address as the Payload delivery address after the NSA attack. It also uses the registered secondary C2 domain name to build its own mining pool to mine Monero. At the same time, it implants RAT Trojans in the compromised machines, collects user sensitive information and uploads it to the Trojan server.
Based on the above characteristics, Tencent Yujian Threat Intelligence Center named the gang the ZombieboyMiner mining gang.
ZombieboyMiner mining and RAT information
0x5 Security Recommendations 1. The server closes unnecessary ports, such as ports 139 and 445. 2. To manually install the "EternalBlue" vulnerability patch, please visit the following page https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
For WinXP and Windows Server 2003 users, please visit https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 3. Enterprise users are advised to install the Yudian Terminal Security Management System (https://s.tencent.com/product/yd/index.html) on the entire network. The Yudian Terminal Security Management System has comprehensive security management functions such as unified terminal antivirus control, unified vulnerability repair control, and policy control, which can help enterprise managers fully understand and manage the security status of the enterprise intranet and protect enterprise security.
4. Personal users are recommended to use Tencent PC Manager to intercept such virus attacks.
