The latest variant of the Sysrv botnet malware threatens Windows and Linux systems with an extensive list of vulnerabilities to exploit, according to Microsoft.
The strain, which Microsoft’s security intelligence team calls Sysrv-K, scans the Internet for web servers with security vulnerabilities, such as path traversal, remote file disclosure, and download bugs. arbitrary files, which can be exploited to infect machines.
The vulnerabilities, which all have patches available, include flaws in WordPress plugins such as the recently discovered remote code execution hole in Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle’s CISA Sam warned this week.
Once run on a compromised system, Sysrv-K deploys a Monero cryptocurrency miner, which will siphon the system’s compute resources to generate digicash. It can also browse WordPress files on compromised machines to take control of web server software and use Telegram as a communication channel, Microsoft warned.
“A new behavior observed in Sysrv-K is that it searches WordPress configuration files and their backups to retrieve database credentials, which it uses to take control of the web server,” wrote the Microsofties in a series of tweet. “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.”
Sysrv-K, like previous variants, also searches for SSH keys, IP addresses, and hostnames on infected machines so that it can use this information to spread through SSH connections. The researchers warned that these invaded systems can be integrated quite easily into a remote-controlled botnet.
“We urge organizations to secure systems accessible over the Internet, including timely application of security updates and building credential hygiene,” they wrote, adding that their Microsoft Defender for Endpoint, natch, detects both Sysrv-K and older variants along with associated behavior and payloads.
A quick study
Sysrv was spotted in December 2020 and has evolved rapidly ever since. In a blog post published in the fall, Dorka Palotay, principal threat researcher at cybersecurity provider Cujo AI, noted that the cryptomining worm and malware had gone through several iterations.
One of the ways it stood out was using the Go programming language, which brings with it easy cross-compilation capabilities – it has a single codebase that can produce executables for disparate architectures – and its large file size makes binaries a pain to reverse-engineer, Palotay writes.
“At its core, Sysrv is a cryptocurrency worm and miner,” she wrote. “The two modules were in separate files in its early releases, but its developers have since combined the two. The worm module simply runs port scans against random IP addresses to find vulnerable Tomcat, WebLogic and MySQL services and attempts to infiltrate servers with a hard-coded password dictionary attack.”
As the botnet evolved, more exploit code was added to improve its worming capabilities. The malware starts with a simple script file that deploys exploit modules against potentially vulnerable targets.
“People used to say Linux was malware-free,” Palotay wrote. “Well, not only has that not been true for the past 25 years, but we now live in a time where Linux is as promising a target for threat actors as some Windows endpoints due to its widespread use in as the operating system in many organizations. And, more importantly, it serves as the operating system for popular Internet of Things devices.”
She listed more than two dozen useful Sysrv exploits for a range of software suites, including Jboss, Adobe ColdFusion, Atlassian Confluence and Jira, various Apache tools, and Oracle WebLogic.
“Sysrv included a small set of exploits in its initial campaigns. Over time, as it developed and evolved, Sysrv continually incorporated new exploits to spread more effectively,” Palotay wrote. .
“Interestingly, we have not only seen exploits added to the code, but also specific exploits undergoing multiple stages of development. Sysrv developers have updated some functions in multiple samples until they reach a satisfying result or just get rid of it. Some exploits were used only in one or two samples, while others proved useful and stuck.” ®