Cryptocurrency is a very valuable currency in the current world. Bitcoin is the perfect example. It only started years ago, but its price has reached sky-high. The maximum value reached up to $17,000+ per Bitcoin. Because of this lucrative value, people are getting more and more interested in Bitcoin and other cryptocurrencies. However, the number of maximum available Bitcoin is limited, as it has to be mined. The mining process takes a lot of hardware resource and time. Zealot is a whole new spooky malware that’s installing miner programs to illegally use hardware resource on many devices.

Cryptocurrency mining

Before understanding Zealot, let’s take a look how cryptocurrencies are mined. Let’s talk about Bitcoin – the most popular one. Mining is a process that verifies every cryptocurrency exchange and adds it to the public ledger. In this process, for every successful enlisting, more Bitcoins are adding to the system. This mining process is just compiling recent transactions into blocks and trying to solve them as a puzzle. However, this mining process needs a lot of calculations and hardware power. The more hardware, the faster you’ll be able to mine. The more successful mining, the more money you’ll get.

What is Zealot?

Zealot, a new Apache Struts campaign, has started to install cryptocurrency mining tools into Windows and Linux machines. The malware installs mining tool for Monero, the most used cryptocurrency used in recent malware attacks.

How Zealot works

According to the F5 Labs researchers who discovered this campaign, Zealot uses NSA-linked EternalSynergy and EternalBlue exploits. This malware assaults computer users using a multi-staged attack, exploiting servers to be vulnerable to the DotNetNuke & Jakarta Multipart Parser attack.

Zealot is the first campaign that uses the NSA exploits to spread throughout a network.

In Windows PC, the STRUTS payload starts running a hidden PowerShell interpreter using a base64 encoded code. The process downloads a script named “scv.ps1” and this installs the miner malware. This malware also installs Python 2.7.

On Linux systems, a shell command “nohup” continues running in the background, executing a spearhead bash script. The malware then checks if the miner is present. If not, it installs the malware miner named “mule”.

Zealot attacks using EmpireProject, a PowerShell and Python post-exploitation agent. A fun fact, the names for this malware’s scripts like “Zealot”, “Observer”, “Raven”, “Overlord” etc. are taken from the famous StarCraft game.

Why Zealot is bad

Now, you might ask that Zealot is turning your machine into a miner, what’s bad in it? I’ll get money! Yahoo!

Just calm down. It’s not you; you’ll never be you who’ll get all the money. The hacker who spread Zealot will get all the money to his Monero account. Monero is an open-source cryptocurrency that was created in 2014.

As cryptocurrency mining depends on hardware especially CPU, it’s costly to buy that powerful mining machine and relative hardware. So, Zealot is turning your machine into their FREE miners – you do all the hard work, and get nothing!

Not only that, such exploit could even do other harms like stealing your info, break your system or even spy on your every single move – really spooky!

What to do now

Zealot is a malware that uses the Java platform so that it’s a cross-platform bug. If your system uses Java, update it to the latest version. Update your Windows and Linux as well.

The DotNetNuke requires a content management system based on ASP.NET, sending a serialized object via a vulnerable “DNNPersonalization” cookie. It also incorporates “ObjectDataProvider” gadget & “ObjectStateFormatter” for embedding another object. According to Sally Khudairi, Vice President of marketing & publicity of the Apache Software Foundation, a patch was released for the issue in March.

It seems that hackers are attacking open-source software more and more. The reason is quite clear. For every open-source method, the developers don’t push the updates to users – they have to download them on their own. Only continuous monitoring of hosts will ensure enterprise security.

Keep your system updated, and keep a sharp look for any suspicious activity or resource-hungry processes. That’s the only way to stop Zealot from using you.