TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Zealot: New Apache Struts Campaign Uses EternalBlue and EternalSynergy to Mine Monero on Internal Networks

2017-12-15 · Read original ↗

ATT&CK techniques detected

16 predictions
T1210Exploitation of Remote Services
99%
"the eternalblue and eternalsynergy exploits - a0. py — eternalsynergy exploit with built - in shellcode for windows 7 - a1. py — eternalblue exploit for windows 7. receives a shellcode as an argument. - a2. py — eternalblue exploit for windows 8. receives a shellcode as an argume…"
T1190Exploit Public-Facing Application
97%
"it seems that the zealot attacker made use of the public empireproject, 3 which is a powershell and python post - exploitation agent. figure 16 : empireproject logo and tag line from github dotnetnuke exploitation ( cve - 2017 - 9822 ) another request sent by the zealot attacker …"
T1055.001Dynamic-link Library Injection
95%
"code. once decoded two times, the result is another obfuscated script. once de - obfuscated, it reveals a url to another file to be downloaded from another domain. figure 9 : obfuscated script after 2 levels of base64 decoding reflective dll injection of the crypto - miner the do…"
T1059.006Python
91%
"package for python code minimization, obfuscation, and compression. the original script was base64 - encoded and zipped 20 times. figure 10 : obfuscation of python scripts using “ pyminifier ” the “ probe. py ” script determines whether the platform is 32 - or 64 - bit and the un…"
T1190Exploit Public-Facing Application
90%
". net serialized object including encoded powershell payload conclusion zealot seems to be the first struts campaign using the nsa exploits to propagate inside internal networks. there were other malware campaigns like notpetya and wannacry ransomware, and also adylkuzz cryptomin…"
T1190Exploit Public-Facing Application
86%
"##gy exploits. the zealot campaign is currently mining the cryptocurrency monero, however, attackers could use compromised systems to do whatever they want. targeting apache struts jakarta multipart parser ( cve - 2017 - 5638 ) the attack starts with the threat actor scanning the…"
T1190Exploit Public-Facing Application
77%
"of networks - it has a highly obfuscated powershell agent for windows and a python agent for linux / os x that seem to be based on the empireproject post - exploitation framework - zealot is currently mining monero, a cryptocurrency increasing in popularity with cyber - criminals…"
T1190Exploit Public-Facing Application
72%
"zealot : new apache struts campaign uses eternalblue and eternalsynergy to mine monero on internal networks f5 threat researchers have discovered a new apache struts campaign. this new campaign is a sophisticated multi - staged attack targeting internal networks with the nsa - at…"
T1059.006Python
70%
"a tcp socket and redirect the received data directly to the shell. if failed, it will use “ curl ” and “ wget ” tools ( that ship with linux ) to download a file name “ larva ”, then execute and delete it after a second. figure 2 : shell commands to fetch and execute the “ larva …"
T1059.001PowerShell
56%
". ps1 ” agent, however, this time from a different server. figure 14 : shellcode for windows 8 contains encoded powershell code the eternalsynergy exploit has built - in shellcode, unlike the eternalblue exploit which has external files as their shellcodes ( residing in “ data ” …"
T1059.006Python
54%
"pipe an embedded base64 obfuscated python code to a new python process. figure 5 : embedded base64 encoded python code little snitch and the unknown functionality once revealed, you can see that the python code checks whether a “ little snitch ” process is running ( a firewall so…"
T1027Obfuscated Files or Information
53%
"package for python code minimization, obfuscation, and compression. the original script was base64 - encoded and zipped 20 times. figure 10 : obfuscation of python scripts using “ pyminifier ” the “ probe. py ” script determines whether the platform is 32 - or 64 - bit and the un…"
T1059.001PowerShell
45%
"code. once decoded two times, the result is another obfuscated script. once de - obfuscated, it reveals a url to another file to be downloaded from another domain. figure 9 : obfuscated script after 2 levels of base64 decoding reflective dll injection of the crypto - miner the do…"
T1105Ingress Tool Transfer
38%
"a tcp socket and redirect the received data directly to the shell. if failed, it will use “ curl ” and “ wget ” tools ( that ship with linux ) to download a file name “ larva ”, then execute and delete it after a second. figure 2 : shell commands to fetch and execute the “ larva …"
T1210Exploitation of Remote Services
33%
"zealot : new apache struts campaign uses eternalblue and eternalsynergy to mine monero on internal networks f5 threat researchers have discovered a new apache struts campaign. this new campaign is a sophisticated multi - staged attack targeting internal networks with the nsa - at…"
T1496Resource Hijacking
32%
"of networks - it has a highly obfuscated powershell agent for windows and a python agent for linux / os x that seem to be based on the empireproject post - exploitation framework - zealot is currently mining monero, a cryptocurrency increasing in popularity with cyber - criminals…"

Summary

New Apache Struts campaign, Zealot, targets vulnerabilities in Windows, Linux, and the DotNetNuke CMS, then leverages leaked NSA exploits to move laterally through internal networks and mine Monero.