F5 threat researchers have discovered a new Apache Struts campaign. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research this campaign, we will update this publication. This is what we know so far:

• New Apache Struts campaign, Zealot, targets Windows and Linux systems
• Zealot is a sophisticated, highly obfuscated and multi-staged attack
• Zealot collectively exploits servers vulnerable to:
  • CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack
  • CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability
• The attack leverages EternalBlue and EternalSynergy exploits for lateral movement inside of networks
• It has a highly obfuscated PowerShell agent for Windows and a Python agent for Linux/OS X that seem to be based on the EmpireProject post-exploitation framework
• Zealot is currently mining Monero, a cryptocurrency increasing in popularity with cyber-criminals

Introduction

When F5’s threat researchers first discovered this new Apache Struts campaign dubbed Zealot, it appeared to be one of the many campaigns already exploiting servers vulnerable to the Jakarta Multipart Parser attack (CVE-2017-5638¹) that have been widespread since first discovered in March 2017. It also exploits the DotNetNuke (DNN) vulnerability (CVE-2017-9822²), disclosed in July 2017. The Zealot campaign aggressively targets both Windows and Linux systems with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits.