Microsoft researchers are monitoring a botnet that weaponizes bugs in WordPress plugins and in the Spring Framework. The botnet deploys cryptomining malware on vulnerable Windows and Linux servers, hijacking systems for the purpose of cryptomining.

Sysrv-K botnet information

Unpatched vulnerabilities in WordPress plugins and in the Spring Framework are under attack by cyber criminals. The attacks target Linux and Windows systems.

Microsoft Security Intelligence researchers dubbed the newly discovered Sysrv botnet variant ‘Sysrv-K’. In order to launch attacks, attackers have programmed a ‘bot army’ to scan for instances of certain flaws in WordPress plugins and in the Spring Cloud Gateway.

Because most cryptomining botnets cannot attack both Linux and Windows, it appears as though attackers put some serious development work into this botnet project. The developers coded Sysrv in Go, a programming language seeing increased adoption among malware producers due to its cross-platform support.

Sysrv-K impact

Sysrv-K can co-opt web servers by scanning the internet for vulnerabilities, after which it will automatically install itself via those vulnerabilities. Potential vulnerabilities used by Sysrv-K range from RCE to arbitrary file download and path traversal to remote file disclosure.

The newest feature of Sysrv-K includes the ability to scan WordPress config files and their backups to steal credentials and gain access to the web server. Sysrv-K operators also recently updated the botnet’s communication capabilities, which now include the ability to use a Telegram bot.

Once a system is infected, Sysrv-K facilitates lateral movement via SSH keys available on the victim machine in order to deploy copies of the malware across other systems. This allows for an increase in the botnet’s size and poses a threat to an entire network. The entire network could potentially become part of the Sysrv-K botnet.

Surge of Sysrv-K activity

The Sysrv botnet family first emerged in December of 2020. Its first notable activities began in March of 2021, prompting cyber security researchers to start analyzing the attacks.

Since Sysrv’s initial launch, the threat actors behind the botnet have made several improvements to it. These include compiling both the worm and Monero miner into a single binary, which affords the operators enhanced control and management, as the binary is constantly updated.

The SSH key usage only appears in the most recent variant. This ‘upgrade’ reflects attempts to gain greater persistence in machines. In turn, this could result in new types of attacks that exceed the sophistication of current cryptomining attacks.

Addressing the vulnerabilities

As noted previously, Sysrv was initially designed to deploy cryptominers on vulnerable servers and it implements wormable capabilities.

Protect your organization from this botnet. If your organization retains public-facing applications, ensure that they are kept up-to-date with the latest security patches. Develop an effective patch management policy and implementation practice. In the absence of patch management, opportunistic adversaries could potentially compromise vulnerable systems.

Further insights

Microsoft advises organizations to secure internet-facing Linux or Windows systems, to apply security updates, and to safeguard cyber credentials. Ensure that two-factor authentication is in place wherever possible.

Powerful endpoint technologies can detect Sysrv-K and older Sysrv variants in addition to Sysrv-related behavior and payloads. Get endpoint upgrade information here.

For more insights into the latest malware threats, see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.