First identified in 2020, the Sysrv botnet leverages a Golang worm to infect devices, deploying cryptominers through network vulnerability exploits.
New Sysrv Botnet Abuses Google Subdomain
Continuously updated by its operators, researchers have documented its evolution, exploring the latest variant’s infection chain, new methods, and Indicators of Compromise (IoCs).
In early March, Imperva Threat Research identified a botnet based on blocked HTTP requests hitting their proxies, displaying bot traffic characteristics. This botnet targeted a significant number of websites across multiple countries.
The requests exhibited common identifiers and targeted vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084).
The analyzed dropper script, “ldr.sh,” resembles past Sysrv botnet iterations. It defines variables for the compromised site URL (“cc”) and a random string (“sys”) based on the MD5 hash of the date. Additionally, it includes a “get” function responsible for downloading files from provided URLs. This function is later utilized to download and execute the second-stage malware from the compromised site.
Before downloading, the script aggressively disrupts endpoint security by terminating processes and uninstalling programs associated with past cryptominer infections and existing anti-malware solutions. It then searches for SSH hosts and keys, attempting to spread the script laterally via SSH.
The latest Sysrv botnet variant includes additional functions to prepare various CPU architectures for upcoming cryptomining, showing significant improvements over previous versions. It remains a statically linked Golang binary packed with UPX, dropping multiple ELF files throughout the system and starting a listener for persistence, indicating enhancements in persistence mechanisms compared to earlier campaigns.
Imperva malware researchers observed obfuscation in a Golang binary, which prevented the use of GoReSym or Redress for analysis. Dynamic analysis revealed that the malware downloaded a second-stage binary from a Google subdomain (sites.google.com) disguised as a legitimate error page.
The decoded and unpacked binary is an XMRig miner connecting to the MoneroOcean mining pool (gulf.moneroocean.stream:10128, 109.123.233.251:443) for the wallet 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuKThe wallet has 6 workers and generates around 57 XMR (roughly 6800 USD) per year.
Sysrv botnet actors are utilizing compromised legitimate domains to host malicious scripts (ldr.sh, cron) that download and execute XMRig cryptominer on infected devices.
These scripts connect to mining pools (gulf.moneroocean.stream, 109.123.233.251) to mine XMR cryptocurrency for the attackers.
Several indicators of compromise (IOCs) were identified, including URLs, file hashes (e.g., ldr.sh: 6fb9b4dced1cf53a), and a wallet address (483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprL yHKm37bTPShFUTKgctMSBVuuK), which can aid defenders in detecting and mitigating this malicious campaign.
Leave A Comment