Zealot Campaign Installs Monero Mining Malware

A malware campaign, dubbed “Zealot,” is currently targeting Linux and Windows servers with exploits in an attempt to install malware designed to mine the Monero cryptocurrency. The threat actors behind the campaign are using exploits for both an Apache Struts vulnerability CVE-2017-5638, the same exploit used in the Equifax hack, and a DotNetNuke (DNN) ASP.NET CMS vulnerability CVE-2017-9822 to obtain control of unpatched servers. On infected Windows machines, the attackers use two NSA exploits, EternalBlue and EternalSynergy, to move laterally in the victim’s local network and use PowerShell to download and install the malware to mine Monero. On infected Linux machines, the attackers use Python scripts, likely from the EmpireProject post-exploitation framework, and install the same malware. Based on the multi-stage infection chain and the use of advanced malware, researchers at F5 Networks believe sophisticated actors developed and are running this campaign. 

The NJCCIC recommends administrators of Windows and Linux servers review the F5 Networks report, ensure their systems are patched against the vulnerabilities exploited in this campaign, consider implementing a web application firewall, close all unnecessary ports on the network, and apply the Principle of Least Privilege for all user accounts.