Remember when Ultron built an army of robot drones and the destruction that ensued? Similarly, a new cryptomining botnet has arrived that’s building an army of bots.
What’s going on?
Dubbed Sysrv-hello, the botnet has been active since December last year. This multi-architecture crytpojacking (T1496) botnet actively scans for vulnerable Windows and Linux enterprise servers and infects them with Monero miner, as well as self-propagating malware payloads. Lacework discovered that threat actors are targeting RCE flaws in Apache Solar, Apache Struts, PHPUnit, Confluence, Jira Sonatype, JBoss, Laravel, and Oracle WebLogic for initial access.
Why does it matter?
- The botnets use multiple wallets linked to multiple mining pools to store illegally earned cryptocurrencies. This signifies that the miner has the capacity to be quite profitable.
- Subsequent to hacking into a server and killing rival cryptominers, the malware propagates across the network in brute-force attacks via SSH private keys accumulated from infected servers.
Sysrv-hello is not the only malware actively trying to steal cryptocurrency.
- A fake Microsoft DirectX 12 download page has been created by attackers to disseminate malware that steals cryptocurrency wallets and passwords.
- Prometei is another multi-stage cryptomining botnet that is exploiting the recently disclosed ProxyLogon vulnerabilities.
- An attacker was discovered targeting Nagios XI software to abuse a remote command injection flaw (CVE-2021-25296) to carry out a cryptojacking attack and deploy XMRig coinminer on victim devices.
The bottom line
Sysrv-hello leverages known vulnerabilities to spread its cryptojacking malware. Therefore, the foremost step to avoid becoming the victim of this malware is to keep your equipment updated. Moreover, it is imperative that we don’t make mistakes that can put us and our systems at risk from hackers.