Getty Images
A newly discovered crypto mining worm is ramping up its targeting of Windows and Linux devices with a range of new exploits and capabilities, a researcher said.
Research firm Juniper began monitoring what it calls the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without any user action. It did this by scanning the internet for vulnerable devices and, when found, infecting them using a list of exploits that has grown over time.
The malware also contained a cryptominer that uses infected devices to create Monero’s digital currency. There was a separate binary for each part.
Constantly growing arsenal
By March, Sysrv’s developers had redesigned the malware to combine the worm and miner into one binary file. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to improve reboot survival and have more advanced capabilities. The worm exploited six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP and Drupal Ajax.
“Based on the binaries we’ve seen and the time we’ve seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a blog post Thursday.
Research on juniper
Thursday’s post listed more than a dozen exploits being attacked by the malware. They are:
| exploit | Software |
| CVE-2021-3129 | laravel |
| CVE-2020-14882 | Oracle Weblogic |
| CVE-2019-3396 | Widget Connector Macro in Atlassian Confluence Server |
| CVE-2019-10758 | Mongo Express |
| CVE-2019-0193 | Apache Solr |
| CVE-2017-9841 | PHPUnit |
| CVE-2017-12149 | Jboss Application Server |
| CVE-2017-11610 | Supervisor (XML-RPC) |
| Apache Hadoop unauthenticated command execution via YARN ResourceManager (no CVE) | Apache Hadoop |
| Brute Force Jenkins | Jenkins |
| Jupyter Notebook Command Execution (No CVE) | Jupyter Notebook Server |
| CVE-2019-7238 | Sonatype Nexus Repository Manager |
| Tomcat Manager Unauth Upload Command Execution (No CVE) | Tomcat Manager |
| WordPress Brute Force | WordPress |
The exploits that Juniper Research has seen the malware use before are:
- Mongo Express RCE (CVE-2019-10758)
- XXL VACANCY Unauth RCE
- XML RPC (CVE-2017-11610)
- CVE-2020-16846 (Saltstack RCE)
- Think PHP RCE
- CVE-2018-7600 (Drupal Ajax RCE)
Come on in, water is great
The developers have also changed the mining pools that infected devices participate in. The miner is a version of the open source XMRig currently mining for the following mining pools:
- Xmr-eu1.nanopool.org:14444
- f2pool.com:13531
- myexmr.com:5555
A mining pool is a group of cryptocurrency miners that combine their computing resources to reduce the volatility of their returns and increase the chances of finding a block of transactions. According to the profitability comparison site PoolWatch.io, the pools used by Sysrv are three of the top four Monero mining pools.
“Together, they have nearly 50% of the network hash rate,” Kimayong wrote. “Threat actor criteria appear to be the best mining pools with high reward rates.”
Research on juniper
Mining profits will be deposited to the following wallet address:
49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa
Nanopool shows that between March 1 and March 28, the wallet gained 8 XMR, worth about $1,700. About 1 XMR is added every two days.
Research on juniper berries
A threat to both Windows and Linux
The Sysrv binary is a 64-bit Go binary loaded with the open source UPX executable packer. There are versions for both Windows and Linux. According to VirusTotal, two randomly chosen Windows binaries were detected by 33 and 48 of the top 70 malware protection services. Two randomly chosen Linux binaries had six and nine.
The threat of this botnet is not only the load on computing resources and the non-trivial consumption of electricity. Malware that can run a cryptominer can almost certainly also install ransomware and other malicious wares. Thursday’s blog post lists dozens of indicators that administrators can use to see if the devices they manage are infected.