Improving the security of open source repositories while keeping malicious components out requires a combination of technology and people. Read More
Related Posts
Dallas says Royal ransomware breached its network using stolen account
Dallas says Royal ransomware breached its network using stolen account
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. […] Read More
BleepingComputer
New Sysrv Botnet Abuses Google Subdomain To Spread XMRig Miner
New Sysrv Botnet Abuses Google Subdomain To Spread XMRig Miner
[[{“value”:”
First identified in 2020, Sysrv is a botnet that uses a Golang worm to infect devices and deploy cryptominers, propagates by exploiting network vulnerabilities, and has been continuously updated with new techniques by its operators.
Researchers have documented these advancements and explored the latest variant, including its infection chain, new methods, and Indicators of Compromise (IoCs).
Imperva Threat Research identified a botnet in early March based on blocked HTTP requests hitting their proxies, which exhibited characteristics of bot traffic, targeting a large number of websites across multiple countries.
The requests shared similar identifiers and aimed to leverage known security vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084).
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
The analyzed dropper script, “ldr.sh,” resembles past Sysrv botnet iterations by defining variables for the compromised site URL (“cc”) and a random string (“sys”) based on the date’s MD5 hash.
A “get” function downloads files from provided URLs and is later used to download and run the second-stage malware from the compromised site.
Before downloading, the script aggressively disrupts endpoint security by terminating processes and uninstalling programs linked to both past cryptominer infections and existing anti-malware solutions, then hunts for SSH hosts and keys, attempting to spread the script laterally via SSH.
A key distinction from previous versions is the presence of additional functions specifically designed to prepare various CPU architectures for the upcoming cryptomining activity.
The latest variant of the Sysrv botnet dropper binary shows significant improvements and remains a statically linked, stripped Golang binary packed with UPX, similar to previous versions.
The new binary, however, drops multiple copies of an ELF file throughout the system and starts a listener on the infected host, likely for persistence, and their behaviors suggest improvements in the botnet’s persistence mechanisms compared to earlier campaigns.
Imperva malware researchers observed obfuscation in a Golang binary, which prevented using GoReSym or Redress for analysis.
Dynamic analysis revealed the malware downloaded a second-stage binary from a Google subdomain (sites.google.com) disguised as a legitimate error page.
The decoded and unpacked binary is an XMRig miner connecting to the MoneroOcean mining pool (gulf.moneroocean.stream:10128, 109.123.233.251:443) for the wallet 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK. The wallet has 6 workers and generates around 57 XMR (roughly 6800 USD) per year.
Sysrv botnet actors are using compromised legitimate domains to host malicious scripts (ldr.sh, cron) that download and run XMRig cryptominer on infected devices.
The scripts connect to mining pools (gulf.moneroocean.stream, 109.123.233.251) to mine XMR cryptocurrency for the attackers.
There were many signs of compromise (IOCs) found, such as URLs, file hashes (like ldr.sh: 6fb9b4dced1cf53a), and a wallet address (483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprL yHKm37bTPShFUTKgctMSBVuuK) that can help defenders find and stop this malicious campaign.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post New Sysrv Botnet Abuses Google Subdomain To Spread XMRig Miner appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Hackers can abuse Microsoft Office executables to download malware
Hackers can abuse Microsoft Office executables to download malware
The list of LOLBAS files – legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsoft’s Outlook email client and Access database management system. […] Read More
BleepingComputer