Cryptomining Bot
Reading Time: 2 minutes

New cryptomining bot spotted, they build an army of bots. While attacks are carried out using Windows and Linux bots. These bots have been active since December last year known as Sysrv-hello.

It is a multi-architecture crypto-jacking botnet (T1496) that actively scans for vulnerable Windows and Linux enterprise servers and infects them with Monero miner and self-propagating malware payloads.

Bad actors have also been using Lacework to target RCE flaws in Apache Solar, Apache Struts, PHPUnit, Confluence, Jira Sonatype, JBoss, Laravel, and Oracle WebLogic for initial access.

How does Cryptomining Bot work?

The botnets are able to store illegally earned cryptocurrencies using multiple wallets linked to multiple mining pools. Just goes to prove a miner has the capacity to be quite profitable.
The malware is not only able to hack into the server and kill rival crypto miners but also is able to propagate across the network in brute force attacks. These attacks are carried out via SSH private keys accumulated from infected servers.

Other malware used to steal cryptocurrency

  1. The bad actors are not only using Sysrv-hello to steal cryptocurrency but, also create a fake Microsoft DirectX 12 download page to distribute malware to steal cryptocurrency wallets and passwords.
  2. Another multi-stage crypto mining bot is Prometei, it is used to exploit the ProxyLogon vulnerabilities.
  3. Nagios XI software is also being used by attackers to abuse a remote command injection flaw (CVE-2021-25296) to carry out a crypto-jacking attack and deploy XMRig coin miner on victim devices.

How to stay safe from Sysrv-hello?

Since Sysrv-hello exploits known vulnerabilities to spread crypto-jacking malware, the best way to secure it would be to keep your systems and devices updated. Another important thing to take care of would be to avoid human tendencies while handling unknown emails etc as it may put your systems at risk from hackers.