Windows and Linux devices are being attacked by a new cryptomining worm
A newly discovered cryptomining worm is increasing its targeting of Windows and Linux devices with a range of new exploits and features, according to one researcher.
The research company Juniper began monitoring the so-called Sysrv botnet in December. One of the malware components of the botnet was a worm that spread from one vulnerable device to another without any user interaction. It scanned the internet for vulnerable devices and, if found, infected it using a list of exploits that have increased over time.
The malware also contained a cryptominer that uses infected devices to create Monero’s digital currency. There was a separate binary file for each component.
Ever growing arsenal
By March, Sysrv developers had redesigned the malware to combine worm and miner into a single binary file. They also gave the script that loads the malware the ability to add SSH keys, most likely to be better able to withstand reboots and have more sophisticated features. The worm exploited six vulnerabilities in software and frameworks used in companies, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP and Drupal Ajax.
“Based on the binaries we saw and the time we saw them, we have found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a blog post Thursday .
Thursday’s post listed more than a dozen exploits targeted by the malware. You are:
|CVE-2019-3396||Widget Connector macro in Atlassian Confluence Server|
|CVE-2017-12149||Jboss Application Server|
|Apache Hadoop unauthenticated command execution via YARN ResourceManager (no CVE)||Apache Hadoop|
|Brute force Jenkins||Jenkins|
|Jupyter Notebook Command Execution (no CVE)||Jupyter Notebook Server|
|CVE-2019-7238||Sonatype Nexus Repository Manager|
|Tomcat Manager Unauth Upload Command Execution (no CVE)||Tomcat Manager|
The exploits Juniper Research previously saw while using the malware are:
- Mongo Express RCE (CVE-2019-10758)
- XXL-JOB Unauth RCE
- XML-RPC (CVE-2017-11610)
- CVE-2020-16846 (Saltstack RCE)
- ThinkPHP RCE
- CVE-2018-7600 (Drupal Ajax RCE)
Come in, water is great
The developers also changed the mining pools that infected devices join. The miner is a version of the open source XMRig that is currently mining for the following mining pools:
A mining pool is a group of cryptocurrency miners who combine their computing resources to reduce the volatility of their returns and increase the likelihood of finding a block of transactions. According to the mining pool’s profitability comparison page PoolWatch.io, the pools used by Sysrv are three of the top four Monero mining pools.
“Together they have nearly 50% of the network hash rate,” wrote Kimayong. “The threat actor criteria appear to be top mining pools with high reward rates.”
The profit from mining is deposited into the following wallet address:
Nanopool reveals that the wallet won 8 XMR worth around $ 1,700 from March 1st to March 28th. About 1 XMR is added every two days.
A threat to Windows and Linux alike
The sysrv binary is a 64-bit go binary packaged with the open source executable UPX packer. There are versions for Windows and Linux. Two randomly selected Windows binaries were detected by 33 and 48 of the top 70 malware protection services, according to VirusTotal. Two randomly chosen Linux binaries had six and nine.
The threat posed by this botnet is not just the strain on computer resources and the non-trivial power consumption. Malware that can run a cryptominer can almost certainly also install ransomware and other harmful goods. Thursday’s blog post has dozens of indicators that administrators can use to determine if the devices they manage are infected.