Skip to main content
banner image
venafi logo

Sysrv Botnet Variant Targets Windows, Linux, Infects Crypto Miners, says Microsoft

Sysrv Botnet Variant Targets Windows, Linux, Infects Crypto Miners, says Microsoft

May 23, 2022 | Brooke Crothers

A new Sysrv variant, dubbed Sysrv-K, scans for vulnerabilities ranging from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities, says Microsoft. Like prior variants, Sysrv-K scans for SSH keys, IP addresses, and host names.

The gamut of vulnerabilities include old vulnerabilities in WordPress plugins – addressed in security updates – as well as newer vulnerabilities including CVE-2022-22947 (National Vulnerability Database).

Once running on a device, Sysrv-K deploys a cryptocurrency miner, Microsoft said in a series of tweets.

Sysrv was first discovered in December 2020. In April of 2021, Juniper Networks cited Sysrv for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems.

"The...objective is to install a Monero cryptominer," Juniper Networks said.

One of the new behaviors observed in the Sysrv-K variant is the ability to scan for WordPress configuration files and backups to retrieve database credentials, which it then uses to gain control of the web server, Microsoft said.

Sysvr-K also has updated communication capabilities, including using a Telegram bot, Microsoft said.

Secure Your SSH Machine Identities With SSH Protect
Scans for SSH Keys

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” according to Microsoft.

“We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene,” Microsoft added.

At its core a cryptocurrency miner

At its core, Sysrv is a worm and a cryptocurrency miner, Cujo AI, a cyberseucrity company, said in a September 2021 blog.

“The main goal of the Sysrv botnet is to mine the Monero cryptocurrency,” CUJO AI said, reinforcing Juniper Networks’ description of the botnet.

“The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hardcoded password dictionary attack,” CUJO AI's Dorka Palotay said in the blog.

As Sysrv evolved, it introduced more exploits to enhance its worm capabilities.

“The malware propagation starts with a simple loader script file, which pulls down those modules upon successful execution.”

Palotay says that the Sysrv botnet has stood out due to its use of Golang (Go) – “a relatively new programming language that a growing number of malware developers have picked up since early 2020.”

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more