New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner [Thursday, March 21, 2024]

A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer ...
New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner [Thursday, March 21, 2024]
New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

Description :
A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.

Published Created Modified
2024-03-21 11:09:45 2024-03-21 11:09:45 2024-03-21 11:39:51

Tags

Indicators

IPv4s : URLs : Malwares :
  • Sysrv
  • XMRig
Hashes :
  • f0a299b93f1a2748edd69299f694d3a12edbe46485d29c1300172d4ac4fd09d4
  • 74d22338e9b71cefb4f5d62497e987e396dc64ca86b04a623c84d5b66a2d7d3e
  • 3961c31ed8411944c5401bb7a9c6738ec963910c205dba5e35292c7d4f7b912b
  • 495500dcd8b3fa858335f0c85ddcc265f09ed638d87226e8bce8b53ef626464e
  • 6fb9b4dced1cf53a9533ed497f38550915f9e448e62a6f43e9d8b696bd5375dc
  • 1ba8f42d8db461bb45f9d3e991c137b7b504aee5213cfe7a12cd4b366512696e
Intrusion set :
  • Sysrv botnet operators
MITRE ATT&CK Techniques : Other observables :
  • CVE-2017-9805
  • CVE-2023-22527
  • CVE-2021-26084

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.