Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems

Microsoft has warned it has discovered a new variant of the Sysrv botnet, which deploys coin miners on both Windows and Linux systems.

In a thread posted on the Microsoft Security Intelligence (@MsftSecIntel) Twitter account, the tech giant revealed the new variant, which it has named Sysrv-K, is exploiting vulnerabilities in the Spring Framework and WordPress to deploy cryptocurrency miners on these systems.

Microsoft explained that the botnet “scans the internet to find web servers with various vulnerabilities to install itself.” These vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution.

Sysrv-K targets a mixture of old vulnerabilities, such as those found in WordPress plugins, and newer ones like CVE-2022-22947. All of these have patches, according to Microsoft.

Worryingly, this new version appears to have several new features. These include scanning for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the webserver. In addition, “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.”

As with previous versions, Sysrv-K scans for SSH keys, IP addresses, and hostnames before trying to spread copies of itself throughout the network. This “could put the rest of the network at risk of becoming part of the Sysrv-K botnet.”

Microsoft advised organizations running either Windows or Linux on internet-facing systems to take action to protect themselves from the new botnet, such as installing all available security updates. “We highly recommend organizations to secure internet-facing systems, including the timely application of security updates and building credential hygiene,” it tweeted.

Last week, Microsoft announced it had issued fixes for three zero-day vulnerabilities in its monthly patch Tuesday roundup. The tech giant also recently published a post outlining how the current ransomware-as-a-service (RaaS) pandemic is being fuelled by the tools and services offered by ‘gig’ workers.

Read more:

You can also read this: This New Fileless Malware Hides Shellcode in Windows Event Logs

Leave a Reply

Your email address will not be published. Required fields are marked *