The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Alibaba Cloud cybersecurity experts: Sysrv-hello botnet looks for vulnerabilities in Windows or Linux for cryptomining. it can use a single binary, capable of automatically extracting and sneaking malware onto other devices
Sysrv-hello is a new botnet, discovered by Alibaba Cloud cybersecurity experts, that looks for vulnerabilities in Windows or Linux for cryptocurrency mining. The cybercrime malware was discovered for the first time in February, but it has been active since December 2020. It was in March that it had a significant increase in activity. Currently it has been updated to be able to use a single binary capable of automatically extracting and sneaking malware onto other devices. It scans the Internet for vulnerable computers, in particular related to RCE in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts. Once the server has been hacked, Sysrv-hello spreads over the network through brute force attacks, using SSH private keys that it collects from infected servers.
The vulnerabilities mainly exploited by the malware
According the cybersecurity experts, until now the malware exploited mainly six vulnerabilities:
- Mongo Express RCE (CVE-2019-10758)
- XML-RPC (CVE-2017-11610)
- Saltstack RCE (CVE-2020-16846)
- Drupal Ajax RCE (CVE-2018-7600)
- ThinkPHP RCE (without CVE)
- XXL-JOB Unauth RCE (without CVE)
However, in the next future the botnet could search and use new flaws to expand it’s networks and mostly it’s Monero cryptomining activities. This, thanks to its multi-architecture and it’s programming language: Golang.