ZombieBoy Malware Threatens The Security of Cryptocurrency Worldwide
James Quin, a Private security researcher, discovered a major threat to the crypto world earlier in the week in the form of malware. This malware is called ZombieBoy, and it started mining to collect about $1000 each month. The profits stopped recently when the creator decided to close the address, though they could not erase the link to MineXMR, a mining pool with Monero. Based on the simplified mandarin, the researcher places the origins of the malware in China.
The program gets its name from the ZombieBoyTools kit, which it used to launch the first dynamic link library (.DLL) file. It works in a fairly similar way to Massminer but utilizes the WinEggDrop algorithm to locate the next viable victim to cling onto. The victims that were most susceptible were those that held Monero (XMR) or Zcash (ZEC) tokens and performed transactions on those exchanges. The malware was able to quickly attack individual accounts, using areas of weakness, like CVE-2017-9073, a protocol for Windows XP and 2003. They also use a server message block, creeping in with CVE-2017-0146 and CVE-2017-0143.
Since the malware basically ended up with a high amount of back-doors, it was able to utilize technology that was originally developed for the sake of accessing control of a specific device. These programs are called EternalBlue and DoublePulsar, and It basically makes it impossible for any entity to pull the threat from the ecosystem. It also makes it more likely that the entire system will end up crashing, which would not bode well for any cryptocurrency exchange.
The malware is also encoded with Themedia, which will not allow the virus to continue functioning on virtual machines. Basically, the pop-up technology does not leave wiggle room to trace back the activities to any specific person. Furthermore, this technology keeps countermeasure protocols from being used too many times on the malware before it is ultimately found to be useless.
Along with the discovery of ZombieBoy, researchers have also found that it connected with another similar program called IRON TIGER APT, which is the combination of several mining malware projects. With so many companies being impacted, the limited countermeasures that could be used for protection include: