Worm.Win32.Zero2.a

General Explanation

Type: Script

Degree of destruction: high

Prevalence: average

Names of the malware:

  • Worm.Win32.Zero2.a
  • Exploit.Win32.Trickster
  • Trojan.Win32.RemoteExec

Used vulnerability:

  • CVE-2017-0146 / MS17-010 (EternalBlue)
  • Brute force attack
  • Pass-the-hash technique
  • Remote File Execution- based vulnerabilities

What is a Miner?

A miner is a person or software which is doing the mining process or somehow extracting cryptocurrency. Bitcoin is a type of cryptocurrency. Extracting bitcoin is a type of verification process which is done in two levels of SHA256 complex hash. Bitcoin network rewarded extractors bitcoin in response to calculating complex calculations. Malware authors have no cost for these complex calculations, will write malware and infecting the victim’s system with it to earn money in this way, and pay no cost for solving these complex calculations. Solving these calculations involves the CPU of the victim’s system and this will slow down the victim’s system.

What is Zero2 malware?

Zero2 malware is one of the new malware in extracting cryptocurrency which is now distributing through computer networks. This new malware using the PowerShell tool which is a system standard tool to execute its malicious code and distribute it through the network. The malware aims to extract bitcoin and cryptocurrency from the victim’s system.

Technical Explanation

This malware connects to the infected server to apply infections in some steps and executing the malicious code in the memory of the victim’s system results in destruction. One of the complexes of this malware is countless layers of code ambiguity and somehow the malware is lifeless. Because malware used XML files in the format of Job to keep permanence in the victim’s system that they only have to connect to the infected server and download malicious codes. This malware distributes by EternalBlue exploit, brute force attack, and pass-the-hash technique.

Signs of infection 

  1. Existence of job files with the name of Rass, Bluetooths, Rtsa in the path of %Root%:\Windows\System32\Tasks which included t[.]zer2[.]com or suspicious addresses
  2. Existence of the job file with the random name included base64 code
  3. Existence of username titled k8h3d in the Administrators group

The malware will be executed in multi-layers and first, the code of the job instruction of the malware will be a base64 code:

  •  The first layer of the script starts from the main Job file which is tried to access the main URL of the malware and will download and install the next scripts by instruction in PowerShell. Malware will proceed to download these scripts by connecting to the C&C server.
  • The next layer has to create the second job of the malware with the name of Rtsa. This job will also link to t[.]zer2[.]com and proceed to download the next scripts. Distribution of the malware and misusing of vulnerabilities happen in this layer.
  • Malware will download the last layer of its mining module according to information that is attained from the system. This module will be injected into the PowerShell module and will be executed in this way.

The list used URLs by the malware:

  • t[.]zer2[.]com/{uri}- a system to download scripts and report information
  • down[.]ackng[.]com- download exploit based scripts
  • Ipp[.]zer2[.]com:443- extracting bitcoin
  • Ipp[.]zckng[.]com:443-extracting bitcoin

How to deal with it and disinfect the system

The IPS section of the Padvish antivirus prevents any attacks from malware. Also, it detects the job files of the malware. So, to prevent infection it is recommended to install Padvish antivirus.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>