Sysrv-K Botnet Installs Cryptocurrency Miners on Windows and Linux Systems

On May 13, 2022, Microsoft revealed details about the Sysrv-K Botnet, known for installing cryptocurrency mining malware on exploitable systems. The botnet targets Windows and Linux systems through security flaws in WordPress plugins and the CVE-2022-22947 code injection vulnerability in the Spring Cloud Gateway.

The security vulnerabilities have been addressed, but the attackers can still use the bot army against unpatched systems.

What Is Sysrv-K?

Sysrv is a botnet. A botnet is a network of systems infected with malware and it’s programmed to distribute viruses, steal data, and even take control of web servers.

The Sysrv botnet has been known since 2020, when it came into the spotlight due to its multi-platform capabilities. It was programmed using the Golang language so it can attack both Windows and Linux systems.

The days of Linux being a malware-proof operating system are long gone partially because of multi-platform capable programming languages like Go. Also, most web servers run on Linux by default, so hackers have even more incentive to develop tools like Sysrv.

Since it was discovered in 2020, the cybercriminals behind the botnet added new features and capabilities to create the current, Sysrv-K variant. Sysrv-K searches for vulnerable servers to install itself and sets up an XMRig cryptocurrency mining program that covertly mines Monero for the group.

The malware scans WordPress configuration files to extract user credentials that give it access to manipulate the web server. Once it penetrates a system, Sysrv-K looks for IP addresses, SSH keys, and hostnames to seek out other systems connected to the network and infiltrate them. It will install copies of itself and add the compromised systems to the attacker’s botnet.

A single vulnerable system can jeopardize the entire network.

Protect Your System from Sysrv-K and Malware

The vulnerabilities that allow Sysrv-K to spread have been addressed, but your system may still be vulnerable. Below you’ll find the best safety precautions to prevent a botnet from taking over or installing malware on your device or network.

Regular Updates

Keep your system and apps up to date. Companies release security patches on a regular basis to prevent exploits. In the case of Sysrv-K, the WordPress and Spring Cloud Gateway vulnerabilities have been addressed, but you still have to perform the update to plug those security holes.

Use a password manager

Sysrv and other types of malware scan for credentials to gain access to a system or a web server. Sharing those credentials or storing them in an unencrypted file will leave you vulnerable to attack.

Use a password management tool to store your credentials in an encrypted, digital vault.

Enable 2FA

Two-factor authentication, or 2FA, will reduce the risk of being compromised. Add an additional layer of protection to your credentials to make your password useless to a hacker.

Even if someone gets your credentials, they can’t do much with them when 2FA is enabled, as they will also need access to your mobile device.

Install a VPN

VPNs hide your IP address, prevent websites from tracking you, and encrypt your traffic. Without your IP and other credentials, botnets like Sysrv-K will have significantly lower chances of compromising your system.

Protect your online identity with CyberGhost VPN to prevent cybercriminals from getting your data.

Remember that hackers and trackers target vulnerable systems. Don’t make it easier for them. Use common sense, keep up with the security updates, and use security tools like VPNs to stay safe from cybercriminals.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*