F5 threat researchers have discovered a new Apache Struts campaign. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research this campaign, we will update this publication. This is what we know so far:

New Apache Struts campaign, Zealot, targets Windows and Linux systems

Zealot is a sophisticated, highly obfuscated and multi-staged attack

Zealot collectively exploits servers vulnerable to: CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability

The attack leverages EternalBlue and EternalSynergy exploits for lateral movement inside of networks

It has a highly obfuscated PowerShell agent for Windows and a Python agent for Linux/OS X that seem to be based on the EmpireProject post-exploitation framework

Zealot is currently mining Monero, a cryptocurrency increasing in popularity with cyber-criminals

Introduction

When F5’s threat researchers first discovered this new Apache Struts campaign dubbed Zealot, it appeared to be one of the many campaigns already exploiting servers vulnerable to the Jakarta Multipart Parser attack (CVE-2017-56381) that have been widespread since first discovered in March 2017. It also exploits the DotNetNuke (DNN) vulnerability (CVE-2017-98222), disclosed in July 2017. The Zealot campaign aggressively targets both Windows and Linux systems with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits.

The Zealot campaign is currently mining the cryptocurrency Monero, however, attackers could use compromised systems to do whatever they want.

Targeting Apache Struts Jakarta Multipart Parser (CVE-2017-5638)

The attack starts with the threat actor scanning the web and sending two HTTP requests. One of the requests is the notorious Apache Struts exploit via the Content-Type header. While most of the similar Apache Struts campaigns target either Windows or Linux platforms, Zealot is equipped with payloads for both.