Threat Database Botnets Sysrv-K Botnet

Sysrv-K Botnet

A new variant of the Sysrv botnet has been revealed by the researchers at Microsoft. Tracked as Sysrv-K, this new threat is equipped with an expanded set of threatening capabilities. It scours the Internet for Web servers that have various security issues. The threat can exploit path traversal, remote file disclosure, and file download buts, to compromise targeted systems. The cybercriminals behind Sysrv-K also have incorporated new vulnerabilities to the repertoire of the botnet, such as CVE-2022-22947, a remote code execution affecting the Spring Cloud Gateway software.

Once deployed, Sysrv-K proceeds to deploy a Monero crypto-miner payload. Crypto-miners are harmful threats designed specifically to hijack the hardware resources of the breached device and utilize them to mine for a specific crypto-coin. In addition, the Sysrv-K botnet can retrieve database credentials from WordPress configuration files or their backups. Afterward, the threat leverages the stolen credentials to gain control over the Web server. The communication capabilities of the threat also have been improved with the inclusion of the ability to use Telegram as a communication channel.

At the same time, Sysrv-K has retained the ability to scan for SSH keys, IP addresses or host names on the breached machines. This information is needed for the threat to attempt to spread even further via SSH connections.


Most Viewed