A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.
First spotted by Alibaba Cloud (Aliyun) security researchers in February (who dubbed it Sysrv-hello) and active since December 2020, the botnet has also landed on the radars of researchers at Lacework Labs and Juniper Threat Labs after a surge of activity during March.
While, at first, it was using a multi-component architecture with the miner and worm (propagator) modules, the botnet has been upgraded to use a single binary capable of mining and auto-spreading the malware to other devices.
Sysrv-hello’s propagator component aggressively scans the Internet for more vulnerable systems to add to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.
The attackers “are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access,” Lacework found.
After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers
“Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files,” Lacework added.
Vulnerabilities targeted by Sysrv-hello
After the botnet’s activity surged in March, Juniper identified six vulnerabilities exploited by malware samples collected in active attacks:
- Mongo Express RCE (CVE-2019-10758)
- XML-RPC (CVE-2017-11610)
- Saltstack RCE (CVE-2020-16846)
- Drupal Ajax RCE (CVE-2018-7600)
- ThinkPHP RCE (no CVE)
- XXL-JOB Unauth RCE (no CVE)
Other exploits used by the botnet in the past also include:
- Laravel (CVE-2021-3129)
- Oracle Weblogic (CVE-2020-14882)
- Atlassian Confluence Server (CVE-2019-3396)
- Apache Solr (CVE-2019-0193)
- PHPUnit (CVE-2017-9841)