Sysrv Botnet Returns: Google Subdomain Used to Spread Cryptomining Malware

Sysrv botnet
Image: Imperva Threat Research

Security experts at Imperva Threat Research have exposed a new evolution of the notorious Sysrv botnet. This latest variant exhibits sophisticated tactics, including the abuse of a Google subdomain to spread its payload – a potent XMRig cryptocurrency miner.

From Compromised Sites to Your System

The campaign initially targets vulnerable web servers running Apache Struts (CVE-2017-9805) or Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084), aiming to exploit known security flaws. Of particular interest is the attackers’ use of a legitimate domain belonging to a Malaysian academic institution, compromised to host the malicious files.

The Evolving Attack Chain

Sysrv botnet

Image: Imperva Threat Research

The botnet’s infection process begins with a dropper script, ldr.sh, strikingly similar to its predecessors but with critical updates. The script, which prepares the ground for the second-stage binary, showcases enhanced capabilities to terminate competing malware and disable endpoint protection, illustrating the attackers’ intent to secure their foothold within infected systems.

Following this preparatory phase, the script embarks on a propagation spree, leveraging SSH to spread across other hosts. This method reflects the botnet’s persistent endeavor to expand its reach and maximize its impact.

The core of the Sysrv botnet‘s latest iteration lies in its upgraded binary. This Golang-based binary, despite being obfuscated and packed with UPX to thwart analysis, was dynamically analyzed by Imperva researchers. The analysis revealed an unprecedented use of a Google subdomain for downloading the second-stage binary, a maneuver that camouflages the botnet’s malicious activities under the guise of legitimacy.

The payload, once decoded and unpacked, was identified as an XMRig miner, aligning with the botnet’s known objective of cryptomining. By connecting to specific endpoints and operating on behalf of a Monero wallet, the botnet demonstrates its capacity to generate substantial revenue, with estimates suggesting an annual yield of approximately 57 XMR (~ $6,800).

The Bottom Line

The latest variant of the Sysrv botnet is a testament to the sophistication and adaptability of modern cyber threats. By masquerading its malicious activities through the use of legitimate domains and a Google subdomain, the botnet not only evades detection but also raises significant concerns regarding the safety of seemingly trusted internet spaces.