Microsoft: Sysrv-K botnet targeting Windows and Linux

The new variant is yet another evolution of the Sysrv botnet, which was discovered in December

Image:
The new variant is yet another evolution of the Sysrv botnet, which was discovered in December

Microsoft has issued a warning about a new botnet that installs a cryptocurrency miner to create digicash.

The malware is a variant of the Sysrv botnet, which works by exploiting security flaws in the Spring Framework and WordPress plugins.

Known as Sysrv-K, the new strain has been enhanced with additional features. These include the ability to scan the internet for web servers with security weaknesses that can be exploited, and new communication features such as the ability to use a Telegram bot.

The botnet specifically hunts for Wordpress plugins with older bugs, as well as CVE-2022-22947, a recently reported remote code execution (RCE) flaw in the Spring Cloud Gateway library.

CVE-2022-22947 is a critical code injection flaw that affects VMware's Spring Cloud Gateway and Oracle's Communications Cloud Native Core Network Exposure Function.

'The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers' by exploiting vulnerabilities, the Microsoft Security Intelligence team said.

Once running on an infected machine, Sysrv-K installs a Monero cryptocurrency miner, which uses the machine's computing resources to create digital cash.

It can also rummage through WordPress files to take control of web server software, according to Microsoft.

Sysrv-K, like prior variants, checks the network for IP addresses, SSH keys, and host names before attempting to connect over SSH to install copies of itself on other computers. This puts the rest of the network at risk of becoming part of the Sysrv-K botnet.

Microsoft urged organisations to secure their internet-facing Linux or Windows systems, install security updates on a regular basis, and keep their passwords safe.

'We highly recommend organisations to secure internet-facing systems, including timely application of security updates and building credential hygiene.

'Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behaviour and payloads.'

Last month, the US government announced that it had successfully deactivated a massive botnet of hardware devices controlled by the Sandworm hacking group, which is thought to be run by Unit 74455 of the Russian Main Intelligence Directorate (GRU).

The FBI worked with security vendor WatchGuard in a court-approved operation in March 2022 to copy and remove the Cyclops Blink malware from vulnerable internet-connected firewall devices that Sandworm exploited for command and control of the underlying botnet.

According to the US Justice Department, the operation disrupted the GRU's control over thousands of infected devices in multiple countries.

Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free.