How the Zealot Attack Uses Apache Struts Flaw to Mine Crypto-Currency

The same flaw that was used to exploit Equifax is now being used by attackers to mine for the Monero crypto-currency.

apache struts

Network security vendor F5 has discovered a new attack that makes use of known vulnerabilities including the same Apache Struts vulnerability linked to the Equifax breach to mine the Monero cryptocurrency.

F5's threat researchers have dubbed the campaign "Zealot", which is also the name of a file that is part of multi-stage attack. The Zealot files include python scripts that trigger the EternalBlue and Eternal Synergy exploits that were first publicly disclosed by the Shadow Brokers hacking group and were allegedly first created by the U.S. National Security Agency (NSA) linked Equation Group.

"The number of infected machines isn’t known, but any machine vulnerable to Apache Struts 2 Jakarta multipart parser flaw (CVE-2017-5638) can potentially be infected," Liron Segal, F5 Labs researcher, told eWEEK.

The CVE-2017-5638 vulnerability in Apache Struts was first publicly disclosed on March 6, and is a remote code execution vulnerability. Credit reporting company Equifax didn't patch for the flaw and as a result was the victim of a massive data breach that was publicly disclosed on Sept. 7. In the Equifax incident, attackers used the Apache Struts vulnerability to steal information on 145.5 million Americans.

In the new Zealot campaign, rather than using the vulnerability to steal user information, the attackers are using the CVE-2017-5638 vulnerability as an entry point to install crypto-currency mining software to mine for Monero is what is known as an "alt-coin." It its different from Bitcoin in that it can be mined, or found by systems that do not have powerful GPUs.

The idea of installing malware to mine Monero is not a new one. Multiple research reports in 2017 have pointed to the increasing use of software known as Coinhive which mines Monero without user knowledge via a hidden script on a web-page. Segal noted that Coinhive is not being used in the Zealot campaign.

"There is no need for Coinhive since the attacker can execute any program on the machine, and is not limited to use only the browser," Segal said.

In addition to the Apache Struts vulnerability, Zealot uses the EternalBlue and EternalSynergy exploit techniques to move laterally within a network. The EternalBlue exploit was also used within both the WannaCry and Petya ransomware attacks in 2017. Additionally, Zealot uses a PowerShell agent on Windows systems and a python agent on Linux and macOS as a post-exploitation framework to enable the Monero mining code.

Though Zealot is currently being used to mine Monero, it could potentially be used in the future for other malicious purposes.

"We saw Zealot focusing on Monero mining, but since it has the ability to download and execute additional malicious modules, it is possible it will change and add [a new] attack purpose and functionality," Segal said.

Monero mining has been a profitable activity for many different groups of attackers in 2017, according to research published in September 2017 by security firm ESET.

"Our research shows Monero was of interest to scammers in a malware context, for several reasons," Cameron Camp, Security Researcher at ESET told eWEEK

Monero isn't as difficult to mine as Bitcoin or Ethereum and its' value has continued to rise as interest in crypto-currencies in general has grown. On Dec. 18, one Monero was worth approximately $347.

What Should Users Do?

There are multiple things that users can do to limit the risk of being exploited by the Zealot campaign to mine Monero. The first step is to make sure all operating systems and applications, including Apache Struts are fully patched.

Segal said that systems that have been patched against the Apache Struts CVE-2017-5638 vulnerability are immune to Zealot,  as it is the first stage in the exploit chain and is used to download and execute additional modules.

Camp suggests that users look for outliers in system activity and suspicious system usage.

"Look for spikes in system usage, as this malware acts as a parasite for under-utilized CPU power, which is typically plentiful on servers, so you’ll see massive spikes in system activity," Camp said. "You should also be able to stop it at the network level through IPS (Intrusion Prevention System), since it’ll be communicating with a C&C  (Command and Control) somewhere."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.