reader comments
47 with 30 posters participating, including story author
A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.
Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.
The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.
Constantly growing arsenal
By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.
“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.
Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:
PoolWatch.io, the pools used by Sysrv are three of the four top Monero mining pools.
“Combined together, they almost have 50% of the network hash rate,” Kimayong wrote. “The threat actor’s criteria appears to be top mining pools with high reward rates.”
The profit from mining is deposited into the following wallet address:
49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa
Nanopool shows that the wallet gained 8 XMR, worth roughly $1,700, from March 1 to March 28. It’s adding about 1 XMR every two days.
A threat to Windows and Linux alike
The Sysrv binary is a 64-bit Go binary that’s packed with the open source UPX executable packer. There are versions for both Windows and Linux. Two Windows binaries chosen at random were detected by 33 and 48 of the top 70 malware protection services, according to VirusTotal. Two randomly picked Linux binaries had six and nine.
The threat from this botnet isn’t just the strain on computing resources and the non-trivial drain of electricity. Malware that has the ability to run a cryptominer can almost certainly also install ransomware and other malicious wares. Thursday’s blog post has dozens of indicators that administrators can use to see if the devices they manage are infected.