Researchers at Juniper Threat Labs have been following the activity and sampled several iterations of the Sysrv since the start of the year and noticed several changes along the way. During the surge of the attacks, the exploits that were modified into Sysrv concerned the following six vulnerabilities:
• Mongo Express RCE (CVE-2019-10758)
• XXL-JOB Unauth RCE
• XML-RPC (CVE-2017-11610)
• CVE-2020-16846 (Saltstack RCE)
• ThinkPHP RCE
• CVE-2018-7600 (Drupal Ajax RCE)
The actors infect a vulnerable system and use it as a Monero miner as well as a point to help the menace spread further using the above Exploit. The worming function relies on random public IP scans using the same list of exploits while the payload is fetched from a hardcoded IP or domain via wget, curl, or PowerShell. The researchers noticed the use of two loader scripts, namely ldr.sh or ldr.sp1.
Sysrv has two binary payloads, one for Linux and one for Windows systems. The miner component is merged with the worm into a single binary in the most recent versions of the malware, whereas previously, it was in the form of a separate binary. The campaign’s effectiveness seems to be moderate, as the researchers were able to confirm that the actors have made at least a couple of thousand USD on each mining pool .
Sysrv is being actively developed, and its authors are adding more exploits that target recent flaws. The newer versions of the malware include CVE-2021-3129 (Laravel), CVE-2020-14882 (Oracle Weblogic), and CVE-2019-3396 (Widget Connector macro in Atlassian Confluence Server). This alone tells us that Sysrv is here to stay, and it’s going to get nastier with time.