Sysrv botnet is more powerful than ever: New exploits to take control of Linux and Windows devices

In its most recent release, the operators of the Sysrv botnet included new exploits to use new vulnerabilities, posing a serious threat to Windows and Linux systems. Identified as Sysrv-K, this new malware strain also scans the Internet for web servers with security flaws for exploitation.

The vulnerabilities exploited by these hackers, all with patches available, include flaws in WordPress plugins, such as the remote code execution (RCE) bug in Spring Cloud Gateway, tracked as CVE-2022-22947 and disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).

After accessing the target system, the malware injects malware for mining Monero, which will exploit the processing capabilities of the affected systems. Malware can also check files on WordPress sites to take control of your web server.

Like its previous versions, Sysrv-K looks for SSH keys, IP addresses, and hostnames on affected systems to propagate over SSH connections. The report notes that affected systems can be easily incorporated into the botnet.

Faced with such a situation, specialists strongly recommend organizations to secure their Internet-oriented systems, including the timely implementation of security patches and the development of an adequate user credential policy.

Sysrv was first detected in late 2020, receiving constant updates ever since. Dorka Palotay, a specialist at security firm Cujo AI, mentions that the community has identified multiple iterations of malware/mining tool. These versions use the Go programming language, which brings with it simple cross-compilation capabilities, and its large file size makes reverse engineering malware files nearly impossible.

According to Palotay, with the constant updates to the malware, new code samples were added to improve its capabilities. She mentions analyzing at least two dozen Sysrv exploits that are useful against a variety of software sets, including Jboss, Adobe ColdFusion, Atlassian Confluence, and Jira, as well as hacking tools for Apache and Oracle WebLogi: “Malware continues to incorporate new exploits to spread effectively,” she says.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.