About UsCareersBlogLog In
Cyber Security ResourceCyber Security Resource
  • Home
  • Products
    • IT Security Partnership Program
    • Cyber Security Resource Community
    • Third Party Risk Management
    • Managed Detection and Response
  • Services
    • Cyber Security Risk Assessment
    • HITRUST Readiness Assessment
    • Cyber Security Advisory Services
    • Penetration Test
    • Vulnerability Assessment
  • Solutions
    • Security Awareness & Training
    • Email Phishing
    • Antivirus – Antimalware
  • Resources
    • Cyber Security Resource Library
    • IT Governance
    • Information Security
    • Risk Management
    • Vulnerability Management
    • Incident Response
  • Partners
    • Consultants Network
    • Sales Partners
Facebook
Twitter
LinkedIn
YouTube
About UsCareersBlogLog In

'Sysrv' – New Crypto-Mining Botnet is Silently Expanding it's Reach

April 24, 2021AddMgrNo Comments

It appears that the developers of the ‘Sysrv’ botnet have been working hard in putting out a more sophisticated version of their malware, as the latest surge in the associated activity is accompanied by expanded capabilities and persistence. The actors’ goal is to install Monero crypto miners and make a profit by burdening the machines of others.

Researchers at Juniper Threat Labs have been following the activity and sampled several iterations of the Sysrv since the start of the year and noticed several changes along the way.
First of all, during the surge of the attacks, the exploits that were modified into Sysrv concerned the following six vulnerabilities:

• Mongo Express RCE (CVE-2019-10758)
• XXL-JOB Unauth RCE 

• XML-RPC (CVE-2017-11610) 

• CVE-2020-16846 (Saltstack RCE)

• ThinkPHP RCE 

• CVE-2018-7600 (Drupal Ajax RCE) 


By using these flaws, the actors infect a vulnerable system and use it as a Monero miner as well as a point to help the menace spread further. The worming function relies on random public IP scans using the same list of exploits while the payload is fetched from a hardcoded IP or domain via wget, curl, or PowerShell. The researchers noticed the use of two loader scripts, namely ldr.sh or ldr.sp1. 

Sysrv has two binary payloads, one for Linux and one for Windows systems. The miner component is merged with the worm into a single binary in the most recent versions of the malware, whereas previously, it was in the form of a separate binary.
The campaign’s effectiveness seems to be moderate, as the researchers were able to confirm that the actors have made at least a couple of thousand USD on each mining pool since December 2020. By looking into the Shodan search engine’s exploits, it becomes clear that Sysrv was tuned to target systems that have been “abandoned.”

However, Sysrv is being actively developed, and its authors are adding more exploits that target recent flaws. The newer versions of the malware include CVE-2021-3129 (Laravel), CVE-2020-14882 (Oracle Weblogic), and CVE-2019-3396 (Widget Connector macro in Atlassian Confluence Server). This alone tells us that Sysrv is here to stay, and it’s going to get nastier with time.

This post was originally published on this site

AddMgr
Our passion at Cyber Security Resource is to work with IT Security Officers, Risk Managers, IT Managers, and Business Professionals to meet their Compliance and IT Security requirements. We offer IT security risk assessments, network and application penetration testing, and security certification readiness for Hitrust or SOCII.
Previous post HSN | Electronic Connection featuring HP 04.24.2021 – 04 AM Next post HSN | Electronic Connection featuring HP 04.24.2021 – 05 AM

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get Our Newsletter

  • Virtual CISO Advisory Services
  • Cyber Security Risk Assessment
  • Vulnerability Assessment
  • Penetration Test
  • Cyber Security Awareness Training

Latest News

  • HITRUST Certification vs HIPAA: What you Need to Know
  • Why Do Businesses Need an Incident Response Plan?
  • Vulnerability Assessment vs. Penetration Testing: What’s the Difference?
  • Healthcare Cyber Security Trends: What You Need to Know Now and Going Forward
  • How To Perform a Cyber Security Risk Analysis For Any Organization.
HomeAccountPrivacy PolicyReturn & Refund PolicyTerms and ConditionsAbout UsContact Us

Return & Refund Policy - Terms and Conditions