Sysrv-K Botnet Tries to Mine Crypto on Victim Devices

The Sysrv botnet has been around for a while now, but security researchers have identified a new, updated strain of the malicious tool. The new version has been dubbed Sysrv-K and it is targeting both Windows and Linux systems, as well as web server hardware.

The new version of Sysrv scans public-facing web servers that are still running software that has unpatched vulnerabilities, then exploits those security flaws. Once the malware makes its way on a compromised device, it launches a cryptominer malicious tool that starts abusing the victim device's resources to mine for Monero cryptocurrency.

In addition to the cryptominer tool deployed, Sysrv-K can access WordPress configuration files and extract login credentials from them. The credentials are in turn used to give the threat actors operating the botnet control over the targeted web server.

The new strain of the Sysrv botnet is still capable of scanning for IP addresses, SSH keys and hostnames on compromised devices and using this information to propagate the botnet over SSH. Server owners are urged to update all pertinent software and applications as soon as possible to avoid infection and system resource abuse.

Sysrv has been around for nearly two years, first detailed by researchers in late 2020. The malware has received multiple updates since then and this new version shows that the threat actor behind Sysrv is not done with the botnet by a long shot.