Windows and Linux devices are under attack by a new crypto mining worm | GeekComparison

Windows and Linux devices are under attack by a new crypto mining worm

Getty Images

A newly discovered crypto mining worm is ramping up its targeting of Windows and Linux devices with a range of new exploits and capabilities, a researcher said.

Research firm Juniper began monitoring what it calls the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without any user action. It did this by scanning the internet for vulnerable devices and, when found, infecting them using a list of exploits that has grown over time.

The malware also contained a cryptominer that uses infected devices to create Monero’s digital currency. There was a separate binary for each part.

Constantly growing arsenal

By March, Sysrv’s developers had redesigned the malware to combine the worm and miner into one binary file. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to improve reboot survival and have more advanced capabilities. The worm exploited six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP and Drupal Ajax.

“Based on the binaries we’ve seen and the time we’ve seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a blog post Thursday.

Research on juniper

Thursday’s post listed more than a dozen exploits being attacked by the malware. They are:

exploit Software
CVE-2021-3129 laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector Macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop unauthenticated command execution via YARN ResourceManager (no CVE) Apache Hadoop
Brute Force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload Command Execution (No CVE) Tomcat Manager
WordPress Brute Force WordPress

The exploits that Juniper Research has seen the malware use before are:

  • Mongo Express RCE (CVE-2019-10758)
  • XML RPC (CVE-2017-11610)
  • CVE-2020-16846 (Saltstack RCE)
  • Think PHP RCE
  • CVE-2018-7600 (Drupal Ajax RCE)

Come on in, water is great

The developers have also changed the mining pools that infected devices participate in. The miner is a version of the open source XMRig currently mining for the following mining pools:


A mining pool is a group of cryptocurrency miners that combine their computing resources to reduce the volatility of their returns and increase the chances of finding a block of transactions. According to the profitability comparison site, the pools used by Sysrv are three of the top four Monero mining pools.

“Together, they have nearly 50% of the network hash rate,” Kimayong wrote. “Threat actor criteria appear to be the best mining pools with high reward rates.”

Research on juniper

Mining profits will be deposited to the following wallet address:


Nanopool shows that between March 1 and March 28, the wallet gained 8 XMR, worth about $1,700. About 1 XMR is added every two days.

Research on juniper berries

A threat to both Windows and Linux

The Sysrv binary is a 64-bit Go binary loaded with the open source UPX executable packer. There are versions for both Windows and Linux. According to VirusTotal, two randomly chosen Windows binaries were detected by 33 and 48 of the top 70 malware protection services. Two randomly chosen Linux binaries had six and nine.

The threat of this botnet is not only the load on computing resources and the non-trivial consumption of electricity. Malware that can run a cryptominer can almost certainly also install ransomware and other malicious wares. Thursday’s blog post lists dozens of indicators that administrators can use to see if the devices they manage are infected.

Leave a Comment