New Cryptocurrency Mining Scheme Uses NSA Exploits EternalBlue & EternalSynergy

Due to the unprecedented and unexpected increase in the value of cryptocurrencies like Bitcoin, there has been a sudden rise in cyber-attacks on cryptocurrency marketplaces and exchanges. Hackers are unleashing all sorts of attacks from DDoS to spearphishing and frontal attacks to make use of the popularity of cryptocurrencies.

Monero mining with NSA exploits

Now, security firm F5 Networks’ researchers Maxim Zavodchik and Liron Segal have identified a new cryptocurrency mining operation that utilizes recently discovered NSA exploits EternalBlue and EternalSynergy for mining popular cryptocurrency Monero.

This campaign has been dubbed as “Zealot” and it is being termed as a sophisticated and complex multi-stage attack targeting internal systems that run on Linux and Windows OS. Since the attack involves the use of powerful exploits like EternalBlue and EternalSynergy, therefore, attackers are able to access internal networks laterally. Furthermore, through NSA exploits, attackers install cryptocurrency miners on the targeted systems and networks.

The primary purpose of hackers behind this campaign is to access Monero and in their quest, they have managed to affect various Linux and Windows-based servers but so far they haven’t been able to target Macs. The multi-stage attack has a complicated Python agent for Linux/OS X and PowerShell agent for Windows. It also is capable of exploiting servers that are vulnerable to Apache Struts Jakarta Multipart Parser attack (CVE-2017-5638) and DotNetNuke (DNN) content management system vulnerability (CVE-2017-9822).

New Cryptocurrency Mining Scheme Uses NSA Exploits EternalBlue & EternalSynergy
Content of the “zealot.zip” file (F5)

It is not the first time that hackers have used NSA exploits in malware campaigns since we have already witnessed malicious campaigns like NotPetya and WannaCry ransomware in which these exploits were leveraged. However, Zealot could be categorized as different from them because for the first time Struts campaign uses these NSA exploits to access internal networks of targeted systems/servers.

F5 Networks’ researchers noted in their official blog that this campaign appears to be opening brand new attack vector doors by using web applications flaws to automatically deliver malware on internal networks.

“The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” researchers wrote.

Target: Linux and Windows devices 

When a hacker is able to access Windows-based system, the PowerShell is used to download and install Monero mining program. On Linux based systems, Python scripts taken from EmpireProject, a post-exploitation agent for Powershell and Python, are used to install Monero miner.

It is suspected that hackers have collected around $8,500 in this campaign but the actual sum might be higher than this since hackers could be using cryptocurrency wallets that haven’t yet been identified by researchers. It has been observed that the hackers are inspired by StarCraft video game because the malware files bear names from the game such as Zealot, Observer, Overlord, Raven, etc.

Not for the first time

This is not the first time when hackers are using EternalBlue NSA exploit to mine cryptocurrency. In August this year, a fileless malware was found using EternalBlue to target Windows devices to mine cryptocurrency.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.