Critical flaws are found in Java’s Spring Framework and WordPress CMS, allowing the Sysrv botnet to exploit them and deploy malware on compromised Windows and Linux servers. The botnet was found with a new upgraded variant, Sysrv-K, capable of scanning unpatched Spring and WordPress deployments.
According to researchers, the new variant of the Sysrv botnet can control web servers by abusing several critical vulnerabilities, including old and new flaws found in WordPress plugins. The botnet variant also targets issues on vulnerable web servers, such as the CVE-2022-22947 from the Spring Cloud Gateway library.
First found in 2020, the botnet had a recorded activity from April last year that triggered security experts’ in-depth analysis.
The botnet can also scan for configuration files in WordPress and their backups to steal database information vital in taking over the webserver. Numerous cybersecurity experts observed Sysrv probing the internet to locate flawed Windows and Linux servers. The servers found by the botnet get infected with the XMRig trojan miner and other malware payloads.
Sysrv botnet accesses servers via exploiting the flaws it detected in web applications and databases, including Confluence, Jira, Apache Struts, Apache Solar, PHPUnit, Laravel, JBoss, Oracle WebLogic, and Sonatype.
The botnet also exterminates other cryptocurrency miners within servers to deploy its payloads. Then, it will auto-spread over the network through brute force attacks via SSH private keys acquired from different locations within the infected machines.
Furthermore, the botnet has a propagator component that could assertively scan the internet to search for more Windows and Linux systems with vulnerable infrastructure. Once these flawed systems are found, they will be included in the botnet’s army of Monero miners.
Sysrv botnet finally compromises the vulnerable systems through some exploits that target remote code execution (RCE) critical flaws that let it launch malicious code from a distance.
