[SingCERT] Alert on Digital Currency Mining Campaign "ZEALOT"

Published on Tuesday, 19 December 2017 18:31


On 15 December 2017, security researchers detected a malicious cyber campaign, known as “Zealot”, that hijacks the computing power of compromised Internet-facing servers to mine for "Monero", a type of digital currency.

The campaign installs and executes Monero miner malware onto vulnerable servers by exploiting known vulnerabilities below:

  • Apache Struts Jakarta Multipart Parser (CVE-2017-5638) – This vulnerability has incorrect exception handling and error-message generation during file-upload attempts, allowing attackers to execute arbitrary commands remotely.
  • DotNetNuke (DNN) Content Management System (CVE-2017-9822) – This vulnerability allows the attacker to gain unauthorised access remotely via a cookie.
It also leverages known Server Message Block (SMB) "EternalBlue" and "EternalSynergy" exploits (CVE-2017-0143 to 0148) to self-propagate onto other vulnerable servers on connected networks.

Affected Systems

Internet-facing servers using the following vulnerable versions of software are affected:

Apache Struts 2
  • 2.3.x before 2.3.32
  • 2.5.x before
DotNetNuke (DNN) Content Management System
  • Before 9.1.1

A successful attack can consume an enormous amount of computing resources which could result in services disruption. The attacker can also remotely perform a variety of malicious tasks after gaining control of a compromised server.


System administrators should upgrade their systems to the latest version immediately via the links below: