ZombieBoy malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

ZombieBoy is highly infectious crypto mining worm like MassMiner, but it uses WinEggDrop instead of MassScan to search for new hosts.

The malware leverages several exploits during its execution which includes:

  • CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003=
  • CVE-2017-0143, SMB exploit
  • CVE-2017-0146, SMB exploit

Zombieboy uses the EternalBlue/DoublePulsar exploits to remotely install the main dll using ZombieBoyTools.

Once the backdoor is established in the target system, it could open ways for other malware families such as the keylogger, ransomware.

The malware is capable of detecting VM (Virtual machine) and doesn’t run on it so making it more difficult for security experts to detect it.

Source: SecureReading

How do you protect yourself?

Proper security measures must be in place to defend against ZombieBoy malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

 

CVE-2018-12359

Threat Meter

 

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.

Source: Mozilla

How do you protect yourself?

Vulnerabilities are fixed in Thunderbird 60.

 ‘Black’ botnet Campaign

Threat Meter

 

The recently uncovered “Black” botnet campaign using the Ramnit malware racked up 100,000 infections in the two months through July– but the offensive could just be a precursor to a much larger attack coming down the pike, according to researchers, thanks to a second-stage malware called Ngioweb.

In the Black operation, Ramnit malware, which is likely being distributed via spam campaigns, according to Check Point, is merely a first-stage malware. Ramnit has extensive information exfiltration capabilities stemming from its heritage as a banking trojan; but it also backdoors infected machines. In this case, it sets up a path for a malware called Ngioweb, marking a new chapter for the venerable old code, first seen in 2010.

The concern is that between the two malwares, the operators are building a large, multi-purpose proxy botnet that could be marshalled into action for any number of nefarious purposes, from spreading cryptomining, ransomware or other malware to DDoS and information exfiltration.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against ‘Black’ botnet Campaign and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.