Zealot Campaign

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero.^[1][2] Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638.^[3][2] The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer.^[4][5][2] The campaign was discovered and studied extensively by F5 Networks in December 2017.^[3][6][7]

How it works

With many of the Zealot exploits being leaked from the NSA, the malware suite is widely described as having “an unusually high obfuscated payload”, meaning that the exploit works on multiple levels to attack the vulnerable server systems, causing large amounts of damage.^[4] The term “Zealot” was derived from the StarCraft series, namely a type of warrior.^[8]

Introduction

This multi-layered attack begins with two HTTP requests, used to scan and target vulnerable systems on the network. Similar attacks in the past were only targeted to either Windows or Linux-based systems, yet Zealot stands out by being prepared for both with its version of Apache Struts exploit along with using DNN.^[9]

Post-exploitation stage

After the operating system (OS) has been identified via a JavaScript, the malware then loads an OS-specific exploit chains:

Linux/macOS

If the targeted system runs on either Linux or macOS, the Struts' payload will install a Python agent for the post-exploitation stage. After checking the target system to see if it has already been infected, it then downloads a cryptocurrency mining software, often referred to as a “mule”. From there, it obfuscates an embedded Python code to process.^[9] Different from other botnet malware, the Zealot campaigns request the Command & Control (C&C) server-specific User-Agent and Cookie headers, meaning that anyone but the malware will receive a different response.^[9] Due to Zealot encrypting via a RC4 cipher, see below, most network inspection and security software were able to see that the malware was on the network, but were not able to scan it.^[9]

Windows

If the targeted OS is Windows, the Struts' payload downloads an encoded PowerShell interpreter. Once it is decoded two times, the program then runs another obfuscated script, which in turn leads the device to a URL to download more files.^[9] That file, known as PowerShell script “scv.ps1”, is a heavily obfuscated script which allows the attacker to deploy mining software on the targeted device. The deployed software can also use a Dynamic-link Library (DLL) mining malware, which is deployed using the reflective DLL injection technique to attach the malware to the PowerShell processing itself, as to remain undetected.^[9]

Scanning for a firewall

Prior to moving onto the next stage, the program also checks to see if the firewall is active. If yes, it will pipe an embedded base64 embedded Python code to circumvent the firewall. Another possible solution is known as the “Little Snitch”, which will possibly terminate the firewall if active.^[9]

Infecting internal networks

From the post-exploitation stage, the program scans the target system for Python 2.7 or higher, if it is not found on the system, it will then download it. Following that, it then downloads a Python module (probe.py) to propagate the network, the script itself is highly obfuscated with a base encryption of base64 and is then zipped up to 20 times.^[9] The downloaded zip file could be named several iterations, all of which are derived from the StarCraft game. The files included are listed below:

• Zealot.py – main script executing the EternalBlue and EternalSynergy exploits, see below.
• A0.py – EternalSynergy exploit with built-in shellcode for Windows 7
• A1.py – EternalBlue exploit for Windows 7, receives shellcode as an argument
• A2.py – EternalBlue exploit for Windows 8, receives a shellcode as an argument
• M.py – SMB protocol wrapper
• Raven64.exe – scans the internal network via port 445 and invokes the zealot.py files^[9]

After all these files run successfully, the miner software is then introduced.

Mining

Known commonly as the “mule” malware, this PowerShell script is named the “minerd_n.PS2” within the compressed files that are downloaded and executed via the EternalSynergy exploit.^[9] The software then utilizes the target system’s hardware to process mining for cryptocurrency. This mining software has reportedly stolen close to $8,500 from one victim, yet total amounts of mined Monero are still speculated among researchers.^[9]

Exploits involved

EternalBlue

Initially utilized in the WannaCry ransomware attack in 2017, this exploit was specifically utilized as a mining software with the Zealot campaign.^[8]

EternalSynergy

While not much is known about this exploit, it was used in cooperation with EternalBlue, along with other exploits in the Zealot campaign and others. Most notably, EternalSynergy was involved in the Equifax hack, WannaCry ransomware, and cryptocurrency mining campaigns.^[2]

DNN

An ASP.NET based content management system, DNN (formerly DotNetNuke) sends a serialized object via a vulnerable DNNPersonalization cookie during the HTTP request stage.^[9] Using an “ObjectDataProvider” and an “ObjectStateFormatter”, the attacker then embeds another object into the victim’s shell system.^[9] This invoked shell system will then deliver the same script that was delivered in the Apache Struts exploit. The DNN acts as a secondary backup for the attackers, should the Apache Struts exploit fail.^{[citation needed]}

Apache Struts Jakarta multipart parser

Used to deliver a PowerShell script to initiate the attack, this exploit is one of the two HTTP requests sent during the initial stage of infection.^[9] Among the first discovered of the exploits of the Zealot campaign, the Jakarta Parser exploit allowed hackers to exploit a “Zero-Day” flaw in the software to hack into the financial firm, Equifax in March 2017.^[9][10] This particular exploit was the most notable and public of the exploits, as it was utilized in a largely public case, and was still being utilized until December 2017, when the exploit was patched.^[9]

Uses

The Lazarus Group

The Bangladeshi-based group utilized a spear-phishing method, known commonly as Business Email Compromise (BCE), to steal cryptocurrency from unsuspecting employees.^[5] Lazarus primarily targeted employees of cryptocurrency financial organizations, which was executed via a Word document, claiming to be a legitimate-appearing European company.^[11] When the document was opened, the embedded trojan virus would then load onto the system computer and begin to steal credentials and other malware. While the specific Malware is still unknown, it does have ties to the Zealot malware.^[9]

Equifax Data Breach (2017)

Among the several exploits involved the March 2017 Equifax data breach, the Jakarta Parser, EternalBlue, and EternalSynergy were heavily involved with attacking the servers. Instead of the software being utilized to mine cryptocurrency, it was used to mine the data of over 130 million Equifax customers.^[10]

References

1. "Shadow Brokers Tools Update - Trend Micro". success.trendmicro.com. Retrieved 2018-04-08.
2. Verma, Adarsh (2017-12-19). "Linux And Windows Machines Being Attacked By "Zealot" Campaign To Mine Cryptocurrency". Fossbytes. Retrieved 2018-04-08.
3. "New sophisticated Malware campaign "Zealot" Leveraging NSA Exploits". GBHackers On Security. 2017-12-18. Retrieved 2018-04-08.
4. ""Zealot" Apache Struts Attacks Abuses NSA Exploits | SecurityWeek.Com". www.securityweek.com. 18 December 2017. Retrieved 2018-04-08.
5. ""Zealot" Campaign and the Lazarus Group End the Year With Cryptocurrency Mining Attacks - Security News - Trend Micro USA". www.trendmicro.com. Retrieved 2018-04-08.
6. "Newly uncovered 'Zealot' malware could double as 2017 buzzword bingo - CyberScoop". Cyberscoop. 2017-12-19. Retrieved 2018-04-08.
7. ""Zealot" Campaign Uses NSA Exploits to Mine Monero on Windows and Linux Servers". BleepingComputer. Retrieved 2018-04-08.
8. "NSA Exploits Used to Create Monero Mining Malware - Deep Dot Web". www.deepdotweb.com. Archived from the original on 2018-04-09. Retrieved 2018-04-08.
9. "Zealot: New Apache Struts Campaign Uses EternalBlue and EternalSynergy to Mine Monero on Internal Networks". f5.com. 15 December 2017. Retrieved 2018-04-08.
10. "Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop — Krebs on Security". krebsonsecurity.com. Retrieved 2018-04-08.
11. Palmer, Danny. "Trojan malware attacks by North Korean hackers are attempting to steal Bitcoin | ZDNet". ZDNet. Retrieved 2018-04-08.