Windows and Linux devices are being attacked by a new cryptomining worm


Getty Images

A newly discovered cryptomining worm is increasing its targeting of Windows and Linux devices with a range of new exploits and features, according to one researcher.

The research company Juniper began monitoring the so-called Sysrv botnet in December. One of the malware components of the botnet was a worm that spread from one vulnerable device to another without any user interaction. It scanned the internet for vulnerable devices and, if found, infected it using a list of exploits that have increased over time.

The malware also contained a cryptominer that uses infected devices to create Monero’s digital currency. There was a separate binary file for each component.

Ever growing arsenal

By March, Sysrv developers had redesigned the malware to combine worm and miner into a single binary file. They also gave the script that loads the malware the ability to add SSH keys, most likely to be better able to withstand reboots and have more sophisticated features. The worm exploited six vulnerabilities in software and frameworks used in companies, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP and Drupal Ajax.

“Based on the binaries we saw and the time we saw them, we have found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a blog post Thursday .

Juniper research

Thursday’s post listed more than a dozen exploits targeted by the malware. You are:


Exploit software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop unauthenticated command execution via YARN ResourceManager (no CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (no CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload Command Execution (no CVE) Tomcat Manager
WordPress Bruteforce WordPress

The exploits Juniper Research previously saw while using the malware are:

  • Mongo Express RCE (CVE-2019-10758)
  • XXL-JOB Unauth RCE
  • XML-RPC (CVE-2017-11610)
  • CVE-2020-16846 (Saltstack RCE)
  • ThinkPHP RCE
  • CVE-2018-7600 (Drupal Ajax RCE)

Come in, water is great

The developers also changed the mining pools that infected devices join. The miner is a version of the open source XMRig that is currently mining for the following mining pools:


A mining pool is a group of cryptocurrency miners who combine their computing resources to reduce the volatility of their returns and increase the likelihood of finding a block of transactions. According to the mining pool’s profitability comparison page, the pools used by Sysrv are three of the top four Monero mining pools.

“Together they have nearly 50% of the network hash rate,” wrote Kimayong. “The threat actor criteria appear to be top mining pools with high reward rates.”

Juniper research

The profit from mining is deposited into the following wallet address:


Nanopool reveals that the wallet won 8 XMR worth around $ 1,700 from March 1st to March 28th. About 1 XMR is added every two days.

Juniper Research

A threat to Windows and Linux alike

The sysrv binary is a 64-bit go binary packaged with the open source executable UPX packer. There are versions for Windows and Linux. Two randomly selected Windows binaries were detected by 33 and 48 of the top 70 malware protection services, according to VirusTotal. Two randomly chosen Linux binaries had six and nine.

The threat posed by this botnet is not just the strain on computer resources and the non-trivial power consumption. Malware that can run a cryptominer can almost certainly also install ransomware and other harmful goods. Thursday’s blog post has dozens of indicators that administrators can use to determine if the devices they manage are infected.


Steven Gregory