Malware is a variant of the Sysrv botnet that works by using security vulnerabilities in the Spring Framework and WordPress plugins.
Known as Sysrv-K, the new strain has been enhanced with additional features. These include the ability to scan the web for exploitable web vulnerabilities and new communication features, such as the ability to use a Telegram bot.
The botnet specifically searches for WordPress plugins with older bugs, as well as CVE-2022-22947, a recently reported flaw in remote code execution (RCE) in the Spring Cloud Gateway library.
CVE-2022-22947 is a critical code injection defect that affects VMware’s Spring Cloud Gateway and Oracle Communications Cloud’s native kernel exposure feature.
“The new version, which we call Sysrv-K, offers additional exploits and can gain control of web servers,” said the Microsoft Security Intelligence team.
We came across a new version of the Sysrv botnet, known for exploiting vulnerabilities in web applications and databases to install coin diggers on both Windows and Linux systems. The new version, which we call Sysrv-K, offers additional exploits and can gain control over web servers.
– Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
Once launched on an infected machine, Sysrv-K installs the Monero cryptocurrency miner, which uses the machine’s computing resources to create digital money.
It can also rummage through WordPress files to take control of web server software, according to Microsoft.
Sysrv-K, like previous versions, checks the network for IP addresses, SSH keys and hostnames before attempting to connect via SSH to install its own copies on other computers. This puts the rest of the network at risk of becoming part of the Sysrv-K botnet.
Microsoft has called on organizations to protect their Linux or Windows-based systems, install security updates regularly, and keep their passwords secure.
“We strongly encourage organizations to provide Internet-oriented systems, including the timely implementation of security updates and the hygiene of certificates.
“Microsoft Defender finally finds Sysrv-K and older versions of Sysrv, as well as related behavior and payloads.”
Last month, the US government announced that it had successfully deactivated a massive botnet of hardware devices controlled by the hacking group Sandworm, believed to be run by unit 74455 of Russia’s General Intelligence Agency (GRU).
The FBI is working with security provider WatchGuard in a court-approved operation in March 2022 to copy and remove Cyclops Blink malware from vulnerable Internet-related firewall devices that Sandworm uses to command and control the main botnet.
According to the US Department of Justice, the operation violated the GRU’s control over thousands of infected devices in many countries.
Join us at the CyberSecurity 2022 Festival, which runs for 3 days in June, where we will gather to learn, collaborate and tackle the biggest challenges for technology security. Learn more and register for free.