This article is more than 1 year old
Monero-mining botnet targets Windows, Linux web servers
Sysrv-K malware infects unpatched tin, Microsoft warns
The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.
The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.
The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.
Once running on a compromised system, Sysrv-K deploys a Monero cryptocurrency miner, which will siphon compute resources from the system to generate digicash. It can also rifle through WordPress files on compromised machines to take control of web server software, and use Telegram as a communications channel, Microsoft warned.
"A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server," the Microsofties wrote in a series of tweets. "Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot."
Sysrv-K, like previous variants, also scans for SSH keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. The researchers warned that these invaded systems can be rolled into a remote-controlled botnet relatively easily.
"We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene," they wrote, adding that their Microsoft Defender for Endpoint, natch, detects both Sysrv-K and older variants as well as related behavior and payloads.
A quick study
Sysrv was spotted in December 2020, and has evolved rapidly since. In a blog post in the fall, Dorka Palotay, senior threat researcher with cybersecurity vendor Cujo AI, noted that the worm and cryptominer malware has undergone several iterations.
One way that it stood out was the use of the Go programming language, which brings with it easy cross-compilation capabilities – it has a single code base that can output executables for disparate architectures – and its large file size makes the binaries a pain to reverse engineer, Palotay wrote.
"At its core, Sysrv is a worm and a cryptocurrency miner," she wrote. "The two modules were in separate files in its early versions, but its developers have since combined the two. The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hard-coded password dictionary attack."
- Shopping for malware: $260 gets you a password stealer. $90 for a cryptominer...
- Nvidia pays $5.5m to settle SEC charges of shoddy cryptomining disclosures
- Don't hate on cryptomining, hate the power stations, say Bitcoin super-fans
- Cryptocurrency-mining AWS Lambda-specific malware spotted
As the botnet evolved, more exploit code was added to enhance its worm capabilities. The malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets.
"People used to say that Linux was free from malware," Palotay wrote. "Well, not only was it not true for the past 25 years, but we now live in an age where Linux is as promising a target for threat actors as some Windows endpoints due to its widespread usage as an operating system across many organizations. And, even more importantly, it serves as the OS for popular Internet-of-Things devices."
She listed more than two dozen Sysrv exploits that are useful against a range of software suites, including Jboss, Adobe ColdFusion, Atlassian Confluence and Jira, various Apache tools, and Oracle WebLogic.
"Sysrv included a small set of exploits in its initial campaigns. Over time, as it was developed and transformed, Sysrv continually incorporated new exploits to spread more effectively," Palotay wrote.
"Interestingly, we not only saw exploits being added to the code, but also some specific exploits undergoing several development stages. Sysrv's developers updated some functions in multiple samples until they either reached a satisfying result or simply got rid of them. Some exploits were used only in one or two samples, while others proved useful and stuck around." ®