Sysrv | |
Additional Names | Sysrv-hello |
Type of Malware | Botnet |
Country of Origin | Unknown |
Date of initial activity | 2020 |
Associated Groups | Unknown |
Targeted Countries | Worldwide |
Motivation | The bot has two functions. The first is to spread and infect more bots and the second is to mine for Monero cryptocurrency. |
Attack vectors | The cryptomining worm spreads by scanning vulnerable systems on the internet. Sysrv also auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). |
Targeted systems | Windows and Linux |
Variants | Sysrv-K |
Overview
First identified in 2020, Sysrv is a botnet that uses a Golang worm to infect devices and deploy cryptominers, propagates by exploiting network vulnerabilities, and has been continuously updated with new techniques by its operators. Sysrv is capable of infecting both Linux and Windows systems.
Targets
Vulnerable Windows and Linux enterprise servers. To hack its way into these web servers, the botnet exploits flaws in web apps and databases, such as PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts.
Techniques Used
Sysrv is scanning the Internet for vulnerable Windows and Linux enterprise servers and it infects them with Monero (XMRig) miners and self-spreader malware payloads.
To hack its way into these web servers, the botnet exploits flaws in web apps and databases, such as PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts.
After killing competing cryptocurrency miners and deploying its own payloads, Sysrv also auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files).
The botnet propagator component will aggressively scan the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots.
Sysrv fully compromises them using exploits targeting remote code injection or execution vulnerabilities that allow it to execute malicious code remotely.
The latest variant of the Sysrv botnet dropper binary shows significant improvements and remains a statically linked, stripped Golang binary packed with UPX, similar to previous versions.
The new binary, however, drops multiple copies of an ELF file throughout the system and starts a listener on the infected host, likely for persistence, and their behaviors suggest improvements in the botnet’s persistence mechanisms compared to earlier campaigns.
Significant Malware Campaigns
- Microsoft: Sysrv botnet targets Windows, Linux servers with new exploits (May 2022)
- New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner
(March 2024)
References:
- Sysrv Botnet Expands and Gains Persistence
- Sysrv-Hello Expands Infrastructure
- Sysrv: A new crypto-mining botnet is silently growing in the shadows
- New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner
