Windows and Linux devices are under attack by a new cryptomining worm

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Windows and Linux devices are under attack by a new cryptomining worm

Getty Images

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.

Constantly growing arsenal

By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.

“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.

Juniper Research

Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:

Exploit Software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload…

Source…