Sysrv-hello Botnet

The Sysrv-hello Botnet is a recently discovered botnet that is looking for vulnerable Linux and Windows enterprise servers to add to its crypto-mining slave machines. Among the victims of the threat are Jira, Oracle WebLogic, PHPUnit, Apache Solar, Confluence, JBoss, Laravel, Sonatype and Apache Struts. As most of the crypto-mining botnets, Sysrv-hello also deploys a version of the XMRig miner that hijackers the hardware resources of the infected system to generate Monero coins. 

Despite being a relatively new threat, Sysrv-hello botnet has already seen several significant updates and modifications. Initially, the threat had a modular nature with separate mining and propagation (worm) components. The latest samples, however, contain a single binary that is capable of performing both functionalities. 

Initial Compromise Vectors

The vulnerabilities exploited by Sysrv-hello to spread itself also have been upgraded. The newest variants of the threat rely on six particular vulnerabilities to gain initial access to the targeted systems:

• Mongo Express RCE (CVE-2019-10758)
• XML-RPC (CVE-2017-11610)
• Saltstack RCE (CVE-2020-16846)
• Drupal Ajax RCE (CVE-2018-7600)
• ThinkPHP RCE (no CVE)
• XXL-JOB Unauth RCE (no CVE)

After gaining a foothold on the server, Sysrv-hello kills any competing crypto-miners if such are present, initiates its own miner, and proceeds to spread over the compromised network. To move laterally, the botnet collects private SSH keys from the infected servers and uses them to launch brute-force attacks. 

Infosec researchers managed to identify one of the crypto-wallets used to hold the Monero coins generated by the Sysrv-hello botnet. Although the sum stored there is not that impressive - a little over 12 XMR (Monero), or around $4000, it should be noted that crypto-mining botnets usually employ multiple such wallets so the total gains of the hackers could be higher significantly.