The Sysrv botnet, initially identified in 2020, has evolved into a sophisticated threat, utilizing advanced techniques to deploy cryptominers across a vast network of compromised devices. Researchers at Imperva Threat Research recently uncovered the latest variant of Sysrv, which targets numerous websites globally, leveraging compromised legitimate domains to host malicious scripts such as “ldr.sh.” This script, resembling past iterations of Sysrv, demonstrates aggressive tactics, disrupting endpoint security measures and attempting lateral spreading via SSH.
Notably, the analyzed dropper script initiates a series of actions aimed at undermining security measures and facilitating the deployment of XMRig cryptominers on infected devices. This includes aggressive termination of processes and uninstallation of anti-malware solutions, as well as the preparation of various CPU architectures for cryptomining activity. Moreover, the botnet’s persistence mechanisms and obfuscation techniques pose challenges for analysis and mitigation efforts.
A key aspect of the Sysrv botnet’s operations involves the exploitation of a Google subdomain to distribute the XMRig miner. By disguising the second-stage binary as a legitimate error page, the botnet operators successfully evade detection and deliver their payload to compromised devices. Additionally, the presence of numerous Indicators of Compromise (IoCs), including URLs, file hashes, and a wallet address associated with XMR cryptocurrency mining, underscores the importance of proactive defense measures to counter this malicious campaign.
