Sysrv Botnet Abuses Google Subdomain To Spread XMRig Miner

First identified in 2020, Sysrv is a botnet that uses a Golang worm to infect devices and deploy cryptominers, propagates by exploiting network vulnerabilities, and has been continuously updated with new techniques by its operators. 

Researchers have documented these advancements and explored the latest variant, including its infection chain, new methods, and Indicators of Compromise (IoCs).

Imperva Threat Research identified a botnet in early March based on blocked HTTP requests hitting their proxies, which exhibited characteristics of bot traffic, targeting a large number of websites across multiple countries. 

The requests shared similar identifiers and aimed to leverage known security vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084).

The analyzed dropper script, “ldr.sh,”  resembles past Sysrv botnet iterations by defining variables for the compromised site URL (“cc”) and a random string (“sys”) based on the date’s MD5 hash.

A “get” function downloads files from provided URLs and is later used to download and run the second-stage malware from the compromised site.

Before downloading, the script aggressively disrupts endpoint security by terminating processes and uninstalling programs linked to both past cryptominer infections and existing anti-malware solutions, then hunts for SSH hosts and keys, attempting to spread the script laterally via SSH.

A key distinction from previous versions is the presence of additional functions specifically designed to prepare various CPU architectures for the upcoming cryptomining activity. 

The latest variant of the Sysrv botnet dropper binary shows significant improvements and remains a statically linked, stripped Golang binary packed with UPX, similar to previous versions. 

The new binary, however, drops multiple copies of an ELF file throughout the system and starts a listener on the infected host, likely for persistence, and their behaviors suggest improvements in the botnet’s persistence mechanisms compared to earlier campaigns. 

Imperva malware researchers observed obfuscation in a Golang binary, which prevented using GoReSym or Redress for analysis. 

Dynamic analysis revealed the malware downloaded a second-stage binary from a Google subdomain (sites.google.com) disguised as a legitimate error page. 

The decoded and unpacked binary is an XMRig miner connecting to the MoneroOcean mining pool (gulf.moneroocean.stream:10128, 109.123.233.251:443) for the wallet 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK. The wallet has 6 workers and generates around 57 XMR (roughly 6800 USD) per year. 

Sysrv botnet actors are using compromised legitimate domains to host malicious scripts (ldr.sh, cron) that download and run XMRig cryptominer on infected devices. 

The scripts connect to mining pools (gulf.moneroocean.stream, 109.123.233.251) to mine XMR cryptocurrency for the attackers.  

There were many signs of compromise (IOCs) found, such as URLs, file hashes (like ldr.sh: 6fb9b4dced1cf53a), and a wallet address (483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprL yHKm37bTPShFUTKgctMSBVuuK) that can help defenders find and stop this malicious campaign. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.