Sysrv botnet has been observed exploiting vulnerabilities in WordPress and Spring Framework to infect targets. It is deploying the XMRig cryptomining tool on exposed Windows and Linux servers.
Sysrv botnet
Microsoft has spotted a new variant of the Sysrv botnet, dubbed Sysrv-K, that has been upgraded with more capabilities such as additional exploits and control of web servers.
The vulnerabilities targeted by this malware are already fixed by security updates, including older vulnerabilities in WordPress plugins, as well as newer vulnerabilities (such as CVE-2022-22947) in the Spring Cloud Gateway library.
Along with newly added capabilities, Sysrv-K scans for WordPress configuration files and backups to steal database credentials and uses them to take over the webserver.
The botnet abuses flaws in web apps and databases to infect web servers, including Apache Solar, PHPUnit, Confluence, Laravel, JBoss, Jira, Oracle WebLogic, Apache Struts, and Sonatype.
Propagation methods
Sysrv botnet is scanning the internet for exposed Linux and Windows enterprise servers and attempts to infect them with Monero (XMRig) miners with self-spreader malware payloads.
Once the cryptomining and deploying payloads are done with, Sysrv auto-spreads over the network using brute force attacks via SSH private keys collected from various locations.
The botnet propagator component aggressively scans the internet for more exposed systems to add them into Monero mining bots using remote code injection or execution vulnerabilities.
What to do?
Microsoft advises all organizations to secure internet-facing systems through timely application of security updates and by following adequate credential policies. Further, organizations should implement endpoint security measures to detect Sysrv-K and its variants, along with related behavior and payloads.