New Cryptomining Malware Turns Windows, Linux Machines Into Bots

New Cryptomining Malware Turns Windows, Linux Machines Into Bots

A cryptomining botnet that has been discovered a few months ago now has been upgraded by its operators and can spread itself to other devices. The botnet scans for vulnerable Windows and Linux enterprise servers and, once found, infects them with Monero (XMRig) miner and drops self-spreader modules.

It was first spotted by Alibaba Cloud (Aliyun) security researchers in February last year who dubbed it Sysrv-hello. Researchers at Lacework Labs and Juniper Threat Labs also reported it independently from each other in March.

The old version used a multi-component architecture with the miner and propagator-worm modules, the upgraded botnet has a single binary capable of mining and auto-spreading the malware to other devices to turn them into Monero mining bots.

Sysrv-hello’s operators exploit vulnerabilities that allow them to execute malicious code remotely. They “are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access,” Lacework said.

After hacking into a server, the malware kills competing cryptocurrency miners and then spreads over the network in brute force attacks:

“Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files,” Lacework added.

Juniper researchers identified six vulnerabilities exploited by the malware: 

  • Mongo Express RCE (CVE-2019-10758)
  • XML-RPC (CVE-2017-11610)
  • Saltstack RCE (CVE-2020-16846)
  • Drupal Ajax RCE (CVE-2018-7600)
  • ThinkPHP RCE (no CVE)
  • XXL-JOB Unauth RCE (no CVE)

Some other devices that the botnet targets include Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, and WordPress.

Lacework Labs seized a Sysrv-hello XMrig mining configuration file which helped them find one of the Monero wallets. It contained just over 12 XMR ($4,000). While another wallet spotted by Juniper researchers contained 8 XMR ($1,700 worth of Monero). While these sums may seem small, cryptomining operators often have multiple wallet addresses, and the profits can quickly add up to a small fortune. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.