In a Twitter thread, the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet.
The variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and Linux systems.
The Sysrv botnet first received attention at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). Since then the botnet has evolved, gained new features, and changed its behavior. One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware—the same malware binaries can be used against Windows and Linux machines.
The latest Sysrv variant scans the Internet for web servers that have security holes offering opportunities such as path traversal, remote file disclosure, and arbitrary file download bugs. Really, any vulnerability that can be exploited to infect the machines.
Once it has gained a foothold and the bot malware is running on a compromised system it deploys a Monero cryptocurrency miner.
The favorite cryptocurrency
The most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising “all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.
No cryptocurrency is anonymous, as many people think, but there are other reasons why cryptojackers favor Monero:
- Many cryptomining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the cryptojacker can expect to find in a containerized environment.
- Like Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value. That’s a big perk given the unrest in cryptocurrency markets at the time of writing.
With cryptocurrencies, users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked—forever—so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.
While Linux malware was almost unheard of a few years ago, a couple of factors have “helped” the development of malware that targets Linux based systems. One is the development of languages that enable the creation of multiplatform malware like Golang. Another is the usage of Linux as the go-to operating system for many IoT devices.
IoT malware has matured over the years and has become popular, especially among botnets. With billions of Internet-connected devices like cars, household appliances, surveillance cameras, and network devices online, IoT devices are a very large bullseye for botnet malware.
The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for distributed denial of service (DDoS) attacks. And around 95% of web servers run on Linux.
Like many other botnets, Sysrv weaponizes bugs in WordPress plugins and in the Spring Framework. It can rifle through WordPress files on compromised machines to take control of web server software. According to Microsoft:
“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.”
The latest Sysrv variant also scans for Secure Shell (SSH) keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. SSH keys are an access credential used in the SSH protocol and are foundational to modern Infrastructure-as-a-Service platforms such as AWS, Google Cloud, and Azure.
Another vulnerability the botnet uses is CVE-2022-22947. Some Spring cloud gateway version applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
The botnet malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets. Not only do the developers constantly add new exploits to the code, they keep updating the code. If the exploits aren’t successful, the developers get rid of them. Ever since the first appearance of the Sysrv botnet, the threat actors have released new scripts almost monthly.
Most of the vulnerabilities that the Sysrv botnet uses have been patched, so an effective patch management strategy can be a big help in keeping these miners off your systems.
Another strategy to looks at is whether all the servers that are at risk need to be Internet-facing. In some cases it may be better to take them offline.
Don’t forget to equip your servers with anti-malware protection. The time that you could rest assured that your Linux server would be safe is unfortunately over.
Safeguard your credentials and make sure that multi-factor authentication (MFA) is in place for your important assets.
Stay safe, everyone!