A new Sysrv variant, dubbed Sysrv-K, scans for vulnerabilities ranging from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities, says Microsoft. Like prior variants, Sysrv-K scans for SSH keys, IP addresses, and host names.
The gamut of vulnerabilities include old vulnerabilities in WordPress plugins – addressed in security updates – as well as newer vulnerabilities including CVE-2022-22947 (National Vulnerability Database).
Once running on a device, Sysrv-K deploys a cryptocurrency miner, Microsoft said in a series of tweets.
Sysrv was first discovered in December 2020. In April of 2021, Juniper Networks cited Sysrv for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems.
"The...objective is to install a Monero cryptominer," Juniper Networks said.
One of the new behaviors observed in the Sysrv-K variant is the ability to scan for WordPress configuration files and backups to retrieve database credentials, which it then uses to gain control of the web server, Microsoft said.
Sysvr-K also has updated communication capabilities, including using a Telegram bot, Microsoft said.
Scans for SSH keys
“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” according to Microsoft.
“We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene,” Microsoft added.
At its core a cryptocurrency miner
At its core, Sysrv is a worm and a cryptocurrency miner, Cujo AI, a cyberseucrity company, said in a September 2021 blog.
“The main goal of the Sysrv botnet is to mine the Monero cryptocurrency,” CUJO AI said, reinforcing Juniper Networks’ description of the botnet.
“The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hardcoded password dictionary attack,” CUJO AI's Dorka Palotay said in the blog.
As Sysrv evolved, it introduced more exploits to enhance its worm capabilities.
“The malware propagation starts with a simple loader script file, which pulls down those modules upon successful execution.”
Palotay says that the Sysrv botnet has stood out due to its use of Golang (Go) – “a relatively new programming language that a growing number of malware developers have picked up since early 2020.”