Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Sysrv (Botnet, Cryptominer) – Malware

March 26, 2024
Reading Time: 4 mins read
in Malware
Sysrv (Botnet, Cryptominer) – Malware

Sysrv 

Additional Names

Sysrv-hello

Type of Malware

Botnet

Country of Origin

Unknown

Date of initial activity

2020

Associated Groups

Unknown

Targeted Countries

Worldwide

Motivation

The bot has two functions. The first is to spread and infect more bots and the second is to mine for Monero cryptocurrency.

Attack vectors

The cryptomining worm spreads by scanning vulnerable systems on the internet. Sysrv also auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files).

Targeted systems

Windows and Linux

Variants

Sysrv-K

Overview

First identified in 2020, Sysrv is a botnet that uses a Golang worm to infect devices and deploy cryptominers, propagates by exploiting network vulnerabilities, and has been continuously updated with new techniques by its operators. Sysrv is capable of infecting both Linux and Windows systems.

Targets

Vulnerable Windows and Linux enterprise servers. To hack its way into these web servers, the botnet exploits flaws in web apps and databases, such as PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts.

Techniques Used

Sysrv is scanning the Internet for vulnerable Windows and Linux enterprise servers and it infects them with Monero (XMRig) miners and self-spreader malware payloads. To hack its way into these web servers, the botnet exploits flaws in web apps and databases, such as PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts. After killing competing cryptocurrency miners and deploying its own payloads, Sysrv also auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). The botnet propagator component will aggressively scan the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. Sysrv fully compromises them using exploits targeting remote code injection or execution vulnerabilities that allow it to execute malicious code remotely. The latest variant of the Sysrv botnet dropper binary shows significant improvements and remains a statically linked, stripped Golang binary packed with UPX, similar to previous versions. The new binary, however, drops multiple copies of an ELF file throughout the system and starts a listener on the infected host, likely for persistence, and their behaviors suggest improvements in the botnet’s persistence mechanisms compared to earlier campaigns.  

Significant Malware Campaigns

  • Microsoft: Sysrv botnet targets Windows, Linux servers with new exploits (May 2022)
  • New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner (March 2024)
References:
  • Sysrv Botnet Expands and Gains Persistence
  • Sysrv-Hello Expands Infrastructure
  • Sysrv: A new crypto-mining botnet is silently growing in the shadows
  • New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner
 
Tags: BotnetsCryptocurrenciesCryptominersCybersecurityGolang wormMalwareMoneroSysrvSysrv-helloXMRig
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial