A New Cryptomining Malware Is Building an Army of Bots
The Botnet Is Actively Scanning for Vulnerable Windows and Linux Enterprise Servers in Order to Infect Them with the Monero Miner.
The botnet was initially spotted by security researchers at AliBaba and called Sysrv-hello. At first, the researchers noticed the use of a multi-component architecture and the worm (propagator) modules, with the botnet being upgraded to use a single binary able of mining and auto-spreading the malware to other devices.
The way in which Sysrv-hello’s propagator component works is by aggressively scanning the Internet for vulnerable systems and adding those to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.
The attackers “are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts to gain initial access.
Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files.”
After the botnet’s activity started surging in March, another research company, Juniper, identified a few main vulnerabilities that were exploited by malware samples collected in active attacks:
- Mongo Express RCE (CVE-2019-10758)
- XML-RPC (CVE-2017-11610)
- Saltstack RCE (CVE-2020-16846)
- Drupal Ajax RCE (CVE-2018-7600)
- ThinkPHP RCE (no CVE)
- XXL-JOB Unauth RCE (no CVE)
A Sysrv-hello XMrig mining configuration file was recovered successfully by the researchers at Lacework, helping them to find one of the Monero wallets used by the botnet to collect Monero mined on the F2Pool mining pool.
A sample wallet containing just over 12 XMR (roughly $4,000), was discovered in the wild, but the interesting fact is that the cryptomining botnets regularly use more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency, therefore this can add up to larger amounts of money.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Sysrv-hello is not the only botnet present on the Internet looking for free computing power, other botnets also actively trying to cash in from exploiting vulnerable servers in order to mine for Monero cryptocurrency.