Zealot Campaign

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or. The other notable exploit within the Zealot vulnerabilities includes vulnerability, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

How it works
With many of the Zealot exploits being leaked from the NSA, the malware suite is widely described as having “an unusually high obfuscated payload”, meaning that the exploit works on multiple levels to attack the vulnerable server systems, causing large amounts of damage. The term “Zealot” was derived from the StarCraft series, namely a type of warrior.

Introduction
This multi-layered attack begins with two HTTP requests, used to scan and target vulnerable systems on the network. Similar attacks in the past were only targeted to either Windows or Linux-based systems, yet Zealot stands out by being prepared for both with its version of Apache Struts exploit along with using DNN.

Post-exploitation stage
After the operating system (OS) has been identified via a JavaScript, the malware then loads an OS-specific exploit chains:

Linux/macOS
If the targeted system runs on either Linux or macOS, the Struts' payload will install a Python agent for the post-exploitation stage. After checking the target system to see if it has already been infected, it then downloads a cryptocurrency mining software, often referred to as a “mule”. From there, it obfuscates an embedded Python code to process. Different from other botnet malware, the Zealot campaigns request the Command & Control (C&C) server-specific User-Agent and Cookie headers, meaning that anyone but the malware will receive a different response. Due to Zealot encrypting via a RC4 cipher, see below, most network inspection and security software were able to see that the malware was on the network, but were not able to scan it.

Windows
If the targeted OS is Windows, the Struts' payload downloads an encoded PowerShell interpreter. Once it is decoded two times, the program then runs another obfuscated script, which in turn leads the device to a URL to download more files. That file, known as PowerShell script “scv.ps1”, is a heavily obfuscated script which allows the attacker to deploy mining software on the targeted device. The deployed software can also use a Dynamic-link Library (DLL) mining malware, which is deployed using the reflective DLL injection technique to attach the malware to the PowerShell processing itself, as to remain undetected.

Scanning for a firewall
Prior to moving onto the next stage, the program also checks to see if the firewall is active. If yes, it will pipe an embedded base64 embedded Python code to circumvent the firewall. Another possible solution is known as the “Little Snitch”, which will possibly terminate the firewall if active.

Infecting internal networks
From the post-exploitation stage, the program scans the target system for Python 2.7 or higher, if it is not found on the system, it will then download it. Following that, it then downloads a Python module (probe.py) to propagate the network, the script itself is highly obfuscated with a base encryption of base64 and is then zipped up to 20 times. The downloaded zip file could be named several iterations, all of which are derived from the StarCraft game. The files included are listed below:


 * Zealot.py – main script executing the EternalBlue and EternalSynergy exploits, see below.
 * A0.py – EternalSynergy exploit with built-in shellcode for Windows 7
 * A1.py – EternalBlue exploit for Windows 7, receives shellcode as an argument
 * A2.py – EternalBlue exploit for Windows 8, receives a shellcode as an argument
 * M.py – SMB protocol wrapper
 * Raven64.exe – scans the internal network via port 445 and invokes the zealot.py files

After all these files run successfully, the miner software is then introduced.

Mining
Known commonly as the “mule” malware, this PowerShell script is named the “minerd_n.PS2” within the compressed files that are downloaded and executed via the EternalSynergy exploit. The software then utilizes the target system’s hardware to process mining for cryptocurrency. This mining software has reportedly stolen close to $8,500 from one victim, yet total amounts of mined Monero are still speculated among researchers.

EternalBlue
Initially utilized in the WannaCry ransomware attack in 2017, this exploit was specifically utilized as a mining software with the Zealot campaign.

EternalSynergy
While not much is known about this exploit, it was used in cooperation with EternalBlue, along with other exploits in the Zealot campaign and others. Most notably, EternalSynergy was involved in the Equifax hack, WannaCry ransomware, and cryptocurrency mining campaigns.

DNN
An ASP.NET based content management system, DNN (formerly DotNetNuke) sends a serialized object via a vulnerable DNNPersonalization cookie during the HTTP request stage. Using an “ObjectDataProvider” and an “ObjectStateFormatter”, the attacker then embeds another object into the victim’s shell system. This invoked shell system will then deliver the same script that was delivered in the Apache Struts exploit. The DNN acts as a secondary backup for the attackers, should the Apache Struts exploit fail.

Apache Struts Jakarta multipart parser
Used to deliver a PowerShell script to initiate the attack, this exploit is one of the two HTTP requests sent during the initial stage of infection. Among the first discovered of the exploits of the Zealot campaign, the Jakarta Parser exploit allowed hackers to exploit a “Zero-Day” flaw in the software to hack into the financial firm, Equifax in March 2017. This particular exploit was the most notable and public of the exploits, as it was utilized in a largely public case, and was still being utilized until December 2017, when the exploit was patched.

The Lazarus Group
The Bangladeshi-based group utilized a spear-phishing method, known commonly as Business Email Compromise (BCE), to steal cryptocurrency from unsuspecting employees. Lazarus primarily targeted employees of cryptocurrency financial organizations, which was executed via a Word document, claiming to be a legitimate-appearing European company. When the document was opened, the embedded trojan virus would then load onto the system computer and begin to steal credentials and other malware. While the specific Malware is still unknown, it does have ties to the Zealot malware.

Equifax Data Breach (2017)
Among the several exploits involved the March 2017 Equifax data breach, the Jakarta Parser, EternalBlue, and EternalSynergy were heavily involved with attacking the servers. Instead of the software being utilized to mine cryptocurrency, it was used to mine the data of over 130 million Equifax customers.