Sysrv Botnet Variant Targets Windows, Linux, Infects Crypto Miners, says Microsoft

Scans for SSH Keys

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” according to Microsoft.

“We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene,” Microsoft added.

At its core a cryptocurrency miner

At its core, Sysrv is a worm and a cryptocurrency miner, Cujo AI, a cyberseucrity company, said in a September 2021 blog.

“The main goal of the Sysrv botnet is to mine the Monero cryptocurrency,” Cujo Ai said, reinforcing Juniper Networks’ description of the botnet.

Sponsorships Available

Sponsorships Available

Sponsorships Available

“The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hardcoded password dictionary attack,” author Dorka Palotay, said in the blog.

As Sysrv evolved, it introduced more exploits to enhance its worm capabilities.

“The malware propagation starts with a simple loader script file, which pulls down those modules upon successful execution.”

Palotay says that the Sysrv botnet has stood out due to its use of Golang (Go) – “a relatively new programming language that a growing number of malware developers have picked up since early 2020.”

Related Posts

• Where Are SSH Keys Stored?
• 4 Ways to Start Protecting Your SSH Keys
• Why You Should Use SSH Certificates Instead of SSH Keys

A new Sysrv variant, dubbed Sysrv-K, finds vulnerabilities ranging from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities, says Microsoft. Like prior variants, Sysrv-K scans for SSH keys, IP addresses, and host names.

The gamut of vulnerabilities include old vulnerabilities – addressed in security updates – in WordPress plugins as well as newer vulnerabilities including CVE-2022-22947 (National Vulnerability Database).

Once running on a device, Sysrv-K deploys a cryptocurrency miner, Microsoft said.

Sysrv was first discovered in December 2020. In April of 2021, Juniper Networks cited Sysrv for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems.

“The…objective is to install a Monero cryptominer,” Juniper Networks said.

One of the new behaviors observed in the Sysrv-K variant is the ability to scan for WordPress configuration files and backups to retrieve database credentials, which it then uses to gain control of the web server, Microsoft said in a series of tweets.

Sysvr-K also has updated communication capabilities, including using a Telegram bot, Microsoft said.