Microsoft has warned that a new variant of the Sysrv botnet targets a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems.
Microsoft researchers have spotted a new variant of Sysrv, which they call Sysrv-K, scanning the internet for WordPress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw. in Spring Cloud Gateway software tagged as CVE-2022-22947.
The flaw affected VMware’s Spring Cloud Gateway and Oracle Communications Cloud Native Core Network Exposure Function and was given a critical rating by both companies.
Sysrv-K can take control of web servers, Microsoft Security Intelligence informed. The botnet scans the Internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.
Sysrv-K contains new features from older variants. Juniper in April 2021 reported that Sysrv was associated with exploits for six RCE vulnerabilities affecting installations of MongoDB’s Mongo Express admin interface, ThinkPHP PHP framework, Drupal CMS, VMware-owned SaltStack, and XXL-projects. JOB and XML-RPC. It also had exploits for PHP framework Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, Jboss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and WordPress.
The two functions of the malware were to spread across the network by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner to mine Monero. But Microsoft warns that it can now also capture database credentials to control an infected web server.
“A new behavior observed in Sysrv-K is that it searches WordPress configuration files and their backups to retrieve database credentials, which it uses to take control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram Bot,” Microsoft Security Intelligence said.
“Like older variants, Sysrv-K searches for SSH keys, IP addresses, and hostnames, then attempts to connect to other systems on the network via SSH to deploy copies of itself. This could put the rest of the network at risk is part of the Sysrv-K botnet,” he added.
Microsoft has warned organizations to secure Internet-connected systems, apply security updates, and protect credentials.