Connect with us

Hi, what are you looking for?


Network Security

“Zealot” Apache Struts Attacks Abuses NSA Exploits

A sophisticated multi-staged Apache Struts cyber attack campaign is abusing NSA-linked exploits to target internal networks, researchers from F5 Networks have discovered.

A sophisticated multi-staged Apache Struts cyber attack campaign is abusing NSA-linked exploits to target internal networks, researchers from F5 Networks have discovered.

Dubbed Zealot, the highly obfuscated attack uses the EternalBlue and EternalSynergy exploits to target Windows and Linux systems. The newly uncovered campaign employs a PowerShell agent to compromise Windows systems and a Python agent to target Linux/OS X. The scripts appear based on the EmpireProject post-exploitation framework, F5 says.

The attack is targeting servers vulnerable to CVE-2017-5638 (Apache Struts Jakarta Multipart Parser attack) and CVE-2017-9822 (a flaw in the DotNetNuke (DNN) content management system). The main purpose of the campaign is to mine for the Monero cryptocurrency.

“The Zealot campaign aggressively targets both Windows and Linux systems, with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits,” the researchers reveal.

The attack starts with two HTTP requests, one of which is the notorious Apache Struts exploit via the Content-Type header. Java code is executed to determine the underlying OS on the targeted system.

On Linux, shell commands are executed in the background to download and execute a spearhead bash script that checks whether the machine is already infected and then fetches and runs a crypto-miner file named “mule”.

The Python code checks whether a firewall solution is running and fetches more code from the command and control (C&C) server. The received response is encrypted so that it cannot be detected by typical network inspection devices.

“When sending the request to the C&C, specific User-Agent and Cookie headers are added. This technique means that anyone (like us researchers) who tries to access the C&C from their own browser or a tool won’t get the same response as the malware,” F5 explains.

Advertisement. Scroll to continue reading.

On Windows systems, the Struts payload runs a PowerShell interpreter in a hidden mode, which in turn executes a base64-encoded script pointing to a file on a different domain. Even more heavily obfuscated, the file is “scv.ps1,” a PowerShell script that downloads the miner and runs it. It can also download the malware as a DLL and inject it into the PowerShell process using reflective DLL injection.

The malicious code also downloads the Python installer and deploys it if Python 2.7 is not present on the targeted Windows system. It then downloads the main Python module to initiate propagation over the internal network.

Two more files are downloaded onto the machine, namely “” and “raven64.exe.” The former includes several Python scripts and libraries, including a script designed to execute the EternalBlue and EternalSynergy exploits, an SMB protocol wrapper, and a series of known Python packages.

The “raven64.exe” file scans the internal network for port 445 and calls the main script to inject three different shellcodes for Windows 7 and Windows 8 systems to exploit EternalSynergy and EternalBlue. After execution, a PowerShell downloads the “scv.ps1” agent, but from a different server.

“The “mule” malware is a cryptocurrency malware mining for the Monero currency. Monero has become the cybercrime currency of choice due to its high anonymity. The amount that was paid for this specific miner address was approximately $8,500. It is not known how much profit the threat actor has overall,” F5 says.

The security researchers also determined that the Zealot attackers used the public EmpireProject, a PowerShell and Python post-exploitation agent.

The second HTTP request observed in this campaign is attempting to exploit the ASP.NET-based content management system DotNetNuke by sending a serialized object via a vulnerable DNNPersonalization cookie. The goal is to obtain arbitrary code execution to run the same PowerShell script delivered via the Apache Struts exploit.

The NSA exploits have been abused in previous campaigns, including NotPetya and WannaCry ransomware, along with the Adylkuzz cryptominer, but Zealot seems to be the first Struts campaign using these exploits.

The new attack also opens “new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” F5 concludes.

Related: Apache Struts Vulnerability Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...