A newly identified cybercrime scheme uses a malware mish-mash of two leaked NSA hacking tools and specialized PowerShell agents to covertly install cryptomining software on computers left vulnerable by a well-known Apache Struts flaw, according to research from F5 Networks.
The campaign, labeled “Zealot” by F5 researchers, has already been used in attacks on Windows and Linux systems to feed miners targeting Monero. The malware also utilizes the NSA-linked EternalBlue and EternalSynergy exploits; which helps spread malware across a compromised network.
“As far as we know, this is the second time a cryptomining scheme has used the EternalBlue or EternalSynergy exploits,” said Maxim Zavodchik, a security research manager with F5. “The significance of this discovery is that it’s the first time we’ve seen a massive campaign targeting web vulnerabilities that automatically spreads into the internal network. This technique is sometimes used in targeted attacks, but seems to be the first time for all-you-can-infect campaigns.”
Additionally, Zealot leverages a PowerShell agent for Windows and a Python agent for Linux and OSX that seems to be based on the supremely popular EmpireProject post-exploitation framework.
F5’s research underscores a new trend: hackers are quickly launching attacks meant to cash in on the current cryptocurrency craze. Cryptominers are typically used to solve the complex mathematical puzzles needed to “find” new “coins.”
Criminals are also turning to cryptomining scams because they can be easier to execute than conventional ransomware attacks, which encrypt machines in the hopes the owner will pay attackers to have the computer unlocked.
I'm not surprised. Found over 17 coin miners discovered on our Network the wallets used in the compromised machines had accumulated of $600k in current monero market value. There's real incentive for this, and as you say much quieter than ransomware.
— Brian Laskowski (@laskow26) December 18, 2017
Another feature found in Zealot is a scanning device that can pinpoint vulnerable systems running older versions of the Apache Struts framework. That vulnerability is the same one that allowed hackers to breach credit reporting giant Equifax earlier this year.
At the moment, Zealot’s impact remains unclear, but Zavodchik said it could be significant because of the malware’s capabilities.
“We suspect the Zealot campaign is being run by threat actors with a higher degree of sophistication,” Zavodchik explained. “We don’t know exactly how widespread this is yet, but as the campaign is targeting popular web technologies used by big corporations without distinguishing between Linux or Windows, there is a broad surface area for attacks.”