According to a security researcher, a recently discovered cryptomining worm seems to be targeting more and more Windows and Linux devices.
The research company Juniper, started monitoring what it calls Sysrv botnet since December. One of the elements of botnet malware was a worm, which spreads from one vulnerable device to another without requiring any action from users. He achieves this by detecting it Internet for vulnerable devices and when it detects them, it infects them using a list of holdings that has grown over time.
The malware also includes a cryptominer that uses infected Windows and Linux devices to create Monero digital currency. There was a separate binary file for each item.
By March, Sysrv developers had redesigned the malware to combine worm and cryptominer. In addition, they gave the script that the malware loads the ability to add SSH keys, most likely as a way to make it more secure from reboots and to have more advanced features. The worm exploited six vulnerabilities used in businesses, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP and Drupal Ajax.
«Based on the binaries we have seen and the time we have seen them, we have found that malicious agents are constantly updating their exploitation arsenal.Said the Juniper researcher Paul Kimayong on Thursday.
The Juniper Research team found that the malware uses the following vulnerabilities:
- Mongo Express RCE (CVE-2019-10758)
- XXL-JOB Unauth RCE
- XML-RPC (CVE-2017-11610)
- CVE-2020-16846 (Saltstack RCE)
- ThinkPHP RCE
- CVE-2018-7600 (Drupal Ajax RCE)
The threat from this botnet is not only the pressure on computer resources and the drainage of electricity. Malware that has the ability to run a cryptominer almost certainly can also install ransomware and other malware on Windows and Linux devices. THE suspension made by the security company on Thursday has dozens of markers that administrators can use to see if their devices are infected.