Windows and Linux devices are under attack by a new cryptomining worm

[mood]

Windows and Linux devices are under attack by a new cryptomining worm
With new exploits and capabilities, the Sysrv botnet poses a growing threat.

 

Enlarge

 

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

 

Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

 

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.

Constantly growing arsenal

By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.

“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.

 

Enlarge

 

Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:

 

Exploit	Software
CVE-2021-3129	Laravel
CVE-2020-14882	Oracle Weblogic
CVE-2019-3396	Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758	Mongo Express
CVE-2019-0193	Apache Solr
CVE-2017-9841	PHPUnit
CVE-2017-12149	Jboss Application Server
CVE-2017-11610	Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE)	Apache Hadoop
Brute force Jenkins	Jenkins
Jupyter Notebook Command Execution (No CVE)	Jupyter Notebook Server
CVE-2019-7238	Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload Command Execution (No CVE)	Tomcat Manager
WordPress Bruteforce	WordPress

 

The exploits Juniper Research previously saw the malware using are:

• Mongo Express RCE (CVE-2019-10758)
• XXL-JOB Unauth RCE
• XML-RPC (CVE-2017-11610)
• CVE-2020-16846 (Saltstack RCE)
• ThinkPHP RCE
• CVE-2018-7600 (Drupal Ajax RCE)

Come on in, water’s great

The developers have also changed the mining pools infected devices join. The miner is a version of the open source XMRig that currently mines for the following mining pools:

• Xmr-eu1.nanopool.org:14444
• f2pool.com:13531
• minexmr.com:5555

 

A mining pool is a group of cryptocurrency miners who combine their computational resources to reduce the volatility of their returns and increase the chances of finding a block of transactions. According to mining pool profitability comparison site PoolWatch.io, the pools used by Sysrv are three of the four top Monero mining pools.

“Combined together, they almost have 50% of the network hash rate,” Kimayong wrote. “The threat actor’s criteria appears to be top mining pools with high reward rates.”

 

Enlarge

 

The profit from mining is deposited into the following wallet address:

49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa

Nanopool shows that the wallet gained 8 XMR, worth roughly $1,700 USD, from March 1 to March 28. It's adding about 1 XMR every two days.

 

Enlarge

 

A threat to Windows and Linux alike

The Sysrv binary is a 64-bit Go binary that’s packed with the open source UPX executable packer. There are versions for both Windows and Linux. Two Windows binaries chosen at random were detected by 33 and 48 of the top 70 malware protection services, according to VirusTotal. Two randomly picked Linux binaries had six and nine.

 

The threat from this botnet isn’t just the strain on computing resources and the non-trivial drain of electricity. Malware that has the ability to run a cryptominer almost certainly can also install ransomware and other malicious wares. Thursday’s blog post has dozens of indicators that administrators can use to see if the devices they manage are infected.

 

 

Source: Windows and Linux devices are under attack by a new cryptomining worm

[mp68terr]

Can this worm infect a linux system (computer) without the admin password? Or is it limited to the IoT devices?

[mood]

New cryptomining malware builds an army of Windows, Linux bots

 

 

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

 

First spotted by Alibaba Cloud (Aliyun) security researchers in February (who dubbed it Sysrv-hello) and active since December 2020, the botnet has also landed on the radars of researchers at Lacework Labs and Juniper Threat Labs after a surge of activity during March.

 

While, at first, it was using a multi-component architecture with the miner and worm (propagator) modules, the botnet has been upgraded to use a single binary capable of mining and auto-spreading the malware to other devices.

Sysrv-hello's propagator component aggressively scans the Internet for more vulnerable systems to add to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.

 

The attackers "are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access," Lacework found.

 

After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers 

"Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files," Lacework added.

 

Sysrv-hello attack flow (Lacework)

Vulnerabilities targeted by Sysrv-hello

After the botnet's activity surged in March, Juniper identified six vulnerabilities exploited by malware samples collected in active attacks:

• Mongo Express RCE (CVE-2019-10758)
• XML-RPC (CVE-2017-11610)
• Saltstack RCE (CVE-2020-16846)
• Drupal Ajax RCE (CVE-2018-7600)
• ThinkPHP RCE (no CVE)
• XXL-JOB Unauth RCE (no CVE)

Other exploits used by the botnet in the past also include:

• Laravel (CVE-2021-3129)
• Oracle Weblogic (CVE-2020-14882)
• Atlassian Confluence Server (CVE-2019-3396)
• Apache Solr (CVE-2019-0193)
• PHPUnit (CVE-2017-9841)
• Jboss Application Server (CVE-2017-12149)
• Sonatype Nexus Repository Manager (CVE-2019-7238)
• Jenkins brute force
• WordPress brute force
• Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE)
• Jupyter Notebook Command Execution (No CVE)
• Tomcat Manager Unauth Upload Command Execution (No CVE)

Slowly but steadily filling cryptocurrency wallets

The Lacework Labs team successfully recovered a Sysrv-hello XMrig mining configuration file which helped them find one of the Monero wallets used by the botnet to collect Monero mined on the F2Pool mining pool.

The latest samples spotted in the wild have also added support for the Nanopool mining pool after removing support for MineXMR.

 

Even though this wallet contains just over 12 XMR (roughly $4,000), cryptomining botnets regularly use more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency, and this can quickly add up to a small fortune.

 

For instance, another wallet connected to Nanopool and spotted by Juniper researchers contains 8 XMR (almost $1,700 worth of Monero) collected between March 1 and March 28.

 

Sysrv-hello is not alone trawling the Internet for free computing power, as other botnets are also actively trying to cash in from exploiting and enslaving vulnerable servers to mine for Monero cryptocurrency.

 

360 Netlab researchers spotted an increasingly active and upgraded version of the z0Miner cryptomining botnet attempting to infect vulnerable Jenkins and ElasticSearch servers to mine for Monero.

 

Cybereason's Nocturnus incident response team published findings on the Prometei botnet on Thursday, first spotted last year and active since at least 2016, now deploying Monero miners on unpatched Microsoft Exchange servers.

 

 

Source: New cryptomining malware builds an army of Windows, Linux bots