The latest version of Sysrv botnet malware threatens Windows and Linux systems with an expanding list of vulnerabilities to exploit, according to Microsoft.
The strain, which the Microsoft Security Intelligence team calls Sysrv-K, scans the Internet for web servers with vulnerabilities, such as path traversal, remote file detection, and arbitrary file download errors, which can be exploited to infect devices.
The vulnerabilities, which all have patches available, include flaws in WordPress plugins such as a recently exposed remote code execution hole in Spring Cloud Gateway traced as CVE-2022-22947 that CISA warned Uncle Sam this week. .
Once running on a compromised system, Sysrv-K deploys a Monero cryptocurrency miner, which will pull account resources from the system to generate digicash. Microsoft has warned about the possibility of navigating WordPress files on hacked devices to take control of the web server software, and use Telegram as a communications channel.
Microsofties books in a series of Tweets. “Sysvr-K has updated communication capabilities, including the ability to use the Telegram bot.”
Sysrv-K, like previous variants, scans SSH keys, IP addresses, and hostnames on infected machines so that it can use this information to propagate over SSH connections. The researchers cautioned that these invaded systems could be converted into a remote-controlled botnet relatively easily.
“We strongly recommend organizations to secure Internet-facing systems, including timely application of security updates and building credential health,” they wrote, adding that Microsoft Defender for Endpoint, natch, detects both Sysrv-K and older variants as well as relevant behavior and payloads.
Sysrv was spotted in December 2020, and has evolved rapidly since then. In a blog post in the fall, Dorka Palotay, chief threat researcher with cybersecurity firm Cujo AI, pointed out that worms and crypto malware have undergone several iterations.
One of the ways it stood out was the use of the Go programming language, with which it offers easy cross-compiling capabilities – it has a single code base that can output executables of disparate architectures – and its large file size makes binaries difficult.
“At its core, Sysrv is a worm and a cryptocurrency miner,” she wrote. “The two modules were in separate files in their first versions, but its developers have since combined the two. The worm module simply starts port scans against random IP addresses to find vulnerable Tomcat, WebLogic and MySQL services and attempts to infiltrate servers using an encrypted password dictionary attack. .”
With the development of botnets, more exploitation code has been added to enhance the capabilities of the worm. The malware starts with a simple text file that propagates units of exploits against potentially vulnerable targets.
“People used to say Linux is free of malware,” Balutai wrote. “Well, not only has that been true for the past twenty-five years, but we now live in an age where Linux is a promising target for threat actors such as some Windows endpoints due to its widespread use as an operating system across many organizations. And, most importantly, it is It serves as an operating system for popular IoT devices.”
More than two dozen useful Sysrv exploits are listed against a range of software suites, including Jboss, Adobe ColdFusion, Atlassian Confluence, Jira, various Apache tools, and Oracle WebLogic.
“Sysrv included a small set of exploits in its initial campaigns. Over time, as it developed and transformed, Sysrv continually incorporated new exploits to spread more effectively,” Balutai wrote.
“Interestingly, we have not only seen exploits added to the code, but also some specific vulnerabilities go through several development stages. Sysrv developers have updated some functionality in multiple samples until they reach a satisfactory result or simply get rid of them. Some vulnerabilities were used. Only in one or two samples, while others proved their usefulness and remained stuck.” ®