A new family of mining malware, named ZombieBoy, earns its operators approximately $1,000 per month, a report released by the independent researcher James Quinn, showed.
The cryptojacking tool is an infectious worm, similar to MassMiner.
“Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices,” Quinn noted.
Like MassMiner, ZombieBoy uses some exploits to spread, however, uses WinEggDrop instead of MassScan to search for new hosts. The malware has constantly been updated, according to Quinn.
Most likely, the origin of this malware is China, as the tool has a Chinese interface. The worm is updated quite frequently, with new versions being discovered almost daily.
The virus is using numerous network vulnerabilities. A remote desktop protocol (RDP) issue with Windows XP and Windows Server 2003, or alternatively a Server Message Block (SMB) exploit the first step. Later on, EternalBlue and DoublePulsar are used in order to create backdoors.
This approach provides broader network access and limits the ability for detection. ZombieBoy is hard to reverse-engineer due to its Themdia encryption. Furthermore, the current version of the worm can spot virtual machines (VMs) and will not operate on them.
Crypto mining malware is one of the hottest types of viruses in 2018, outpacing ransomware. The two have principle differences, and the cryptocurrencies they use are almost always different as well. Bitcoin is preferred by those who demand payment from users, whereas cryptojackers often mine Monero (XMR) or zCash (ZEC) as a ransom is much more likely to be paid with an easily accessible coin, whereas privacy is hackers’ chief concern. Some authorities, like the Japanese FSA, are even considering banning the latter group of altcoins from exchanges, due to their very nature.