A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.
Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.
The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.
Constantly growing arsenal
By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.
“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.
Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:
|CVE-2019-3396||Widget Connector macro in Atlassian Confluence Server|
|CVE-2017-12149||Jboss Application Server|
|Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE)||Apache Hadoop|
|Brute force Jenkins||Jenkins|
|Jupyter Notebook Command Execution (No CVE)||Jupyter Notebook Server|
|CVE-2019-7238||Sonatype Nexus Repository Manager|
|Tomcat Manager Unauth Upload…|