Cryptomining Worm Botnet Seeking And Attacking Vulnerable Devices

There's a new cryptomining worm threat to be aware of, and it's making the lives of IT Administrators who manage Windows and Linux environments nightmarish.

This news comes from a recently published report offered by a research firm called Juniper, which began monitoring the activities of the new Sysrv Botnet back in December of 2020.

One of the things that makes Sysrv a serious threat is the fact that it has worm-like abilities and can spread from one vulnerable device to another connected vulnerable device with ease. It can do that in record time, so what starts off as a small, manageable problem can quickly spiral out of control.

Worse, the hacker or group behind the new botnet has been busily updating their malicious minions, giving the botnet an arsenal of exploits that has grown in size almost continually since the company first started tracking its activities.

Among other things, it can add SSH keys and use any of the following exploits:

• Drupal Ajax
• Mongo Express
• Saltstack
• ThinkPHP
• XML-RPC

The main goal of the person or persons behind this new threat seems to be to maximize cryptocurrency mining rewards.

The malware is set up to mine for the following mining pools:

• Xmr-eu1.nanopool.org:14444
• f2pool.com:13531
• minexmr.com:5555

The malware is currently designed to mine XMR, and they've infected such a sufficient number of machines that they're averaging about 1 XMR every two days. Between March 1st and March 28th of this year (2021) the wallet associated with the malware saw an increase of 8 XMR, worth about $1700.

Unfortunately, while the drain on computing power is bad enough on its own, that's not the worst of it. Once a machine is infected, it is entirely possible that Sysrv's controllers could upload additional malware that could be genuinely destructive. All that to say, be on the alert for this one, it's bad news and a growing threat.