[MART] - Daily Diary #512 - Meet Sysrv Botnet

CTAS-MAT ctas-mat at appgate.com
Tue May 17 21:37:49 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

05/17/2022 - Diary entry #512

Active since 2020, Sysrv is a botnet focused on infecting vulnerable web servers, deploying crypto-miners on the hijacked machines. This week a new variant of Sysrv botnet was disclosed.

After infecting the system, Sysrv exfiltrate credentials and SSH keys from the machines, which it then uses to move laterally in the network using IP addresses and hostnames found in the infected machines. To communicate with the C&C server, it uses a Telegram Bot.

The new variant, named Sysrv-K, uses a variety of exploits to infect exposed web servers, like CVE-2022-22947 - a vulnerability affecting Spring Cloud Gateway. Sysrv also scans for WordPress configuration files, gathering user and database credentials it can use to hijack the server.

Although Sysrv was designed to deploy a Monero (cryptocurrency) miner, its architecture can be used to deploy more complex threats, just like other botnet families like Trickbot. Malware families like Sysrv do not target specific companies, but attempt to infect every exposed server at random. This incident is yet another reason for even small companies and server owners to deploy reasonable security measures, even if you don't feel a specialized cyber-crime gang is focused on you.


Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220517/29825707/attachment.htm>

More information about the MART mailing list