New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner
by Daniel Johnston, Yohann Sillam
March 20, 2024
Imperva Threat Research
| Notes |
|---|
| sysrv |
| botnet |
| payload |
| worm |
| Golang malware |
| cryptocurrency miner |
| security research |
| IoC |
| infection chain |
| Imperva Threat Research |
| HTTP |
| Apache Struts - CVE-2017-9805 |
| Atlassian Confluence - CVE-2023-22527, CVE-2021-26084 |
| Malaysia |
| domain name |
| Duraspace/DSpace |
| hosting malware on hacked sites |
| dropper |
| bash script - ldr.sh |
| md5 |
| get function to download malware from URL |
| staged malware |
| teritorial malware |
| malware disabling security software |
| search for SSH hosts and keys |
| propagation over SSH |
| UPX |
| stripped binary |
| static linking |
| ELF |
| GoReSym |
| redress |
| Google subdomain to host malware |
| downloader site poses as a legitimate Google site |
| XMRig |
| MoneroOcean |
| Monero |
| XMR - $6800/year 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK |
| evasion |