Sysrv is a serious threat

There's a new crypto-mining worm threat to be aware of, and it's making the lives of IT Administrators who manage Windows and Linux environments nightmarish.

This news comes from a recently published report offered by a research firm called Juniper, which began monitoring the activities of the new Sysrv Botnet back in December of 2020.

One of the things that makes Sysrv a serious threat is the fact that it has worm-like abilities and can spread from one vulnerable device to another connected vulnerable device with ease. It can do that in record time, so what starts off as a small, manageable problem can quickly spiral out of control.

Worse, the hacker or group behind the new botnet has been busily updating their malicious minions, giving the botnet an arsenal of exploits that has grown in size almost continually since the company first started tracking its activities.


It adds SSH keys and can use any of the following exploits

Researchers at Juniper Threat Labs have been following the malware and sampled several versions of the Sysrv and noticed several changes along the way. During the surge of the crypto attacks, the exploits that were modified into Sysrv are the following six vulnerabilities:

  • Drupal Ajax
  • XXL-Job
  • Mongo Express
  • Saltstack
  • ThinkPHP

The main goal of the person or persons behind this new threat seems to be to maximize cryptocurrency mining rewards. Using these flaws, the hackers infect a system and use it as a crypto miner. They also use the now infected system a point to help the menace spread further. It then makes use of random public IP scans of the same list of exploits. While the payload is fetched from a hacker IP or domain via wget, curl, or PowerShell. The researchers also noticed the use of one of two loader scripts called and ldr.sp1.


The malware is set up to mine for the following mining pools


The malware is currently designed to mine XMR, and they've infected such a sufficient number of machines that they're averaging about 1 XMR every two days. Between March 1st and March 28th of 2021 the wallet associated with the malware saw an increase of 8 XMR, worth about $1700.

As Sysrv is being actively modified its developers are adding more exploits that go after recent flaws. The newer versions of the malware include CVE-2021-3129 (Laravel), CVE-2020-14882 (Oracle Weblogic), and CVE-2019-3396 (Widget Connector macro in Atlassian Confluence Server). This alone tells us that Sysrv is not going to simply go away, and it is definitely going to get nastier.


My perspective

Unfortunately, while the drain on computing power is bad enough on its own, that's not the worst of it. Once a machine is infected, it is entirely possible that Sysrv's controllers could upload additional malware that could be genuinely destructive. All that to say, be on the alert for this one, it's bad news and a growing threat.


~ And a Rowdy Youth might yell - "Hey Malkovitch, think fast" ~ 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide small business technology education programs.


Contact me if you would like me to speak to your association