Keypoints :
- Cryptojacking involves using a victim’s system to mine cryptocurrencies without their consent.
- The Sysrv botnet, initially noted for its use of Golang, has evolved and increased its activity.
- PowerShell scripts are used to download and execute malware, while disabling security measures like the Windows Firewall.
- The botnet targets competing cryptocurrency miners to ensure exclusive access to system resources.
- Scheduled tasks are created to maintain persistence of the malware on infected systems.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The botnet uses HTTP for command and control communication.
- T1059.001 – Command and Scripting Interpreter: PowerShell is utilized to execute scripts for malicious purposes.
- T1053.005 – Scheduled Task/Job: A scheduled task named BrowserUpdate is created to ensure the malware runs regularly.
- T1484.001 – Domain Policy Modification: The malware modifies registry keys to achieve persistence.
- T1070.001 – Indicator Removal on Host: The botnet stops processes associated with competing miners to eliminate competition.
Indicator of Compromise :
- [IP Address] 194.38.23.2
- [IP Address] 194.145.227.21
- [IP Address] 185.239.242.71
- [File Name] network01.exe
- [File Name] sysrv.exe
- Check the article for all found IoCs.
With the increased value of cryptocurrencies, we are seeing increased cryptojacking activity.
Cryptojacking (also called malicious cryptomining) is a threat that hides on a system and uses the machine’s resources to “mine” cryptocurrencies. So, it’s basically running up the victim’s electricity bill to pay for cryptocurrency generated for the attacker, and getting in the way of whatever work the computer was supposed to be doing.
The Sysrv botnet has been around for a while. It first received attention at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware, which means the same malware binaries can be used against Windows and Linux machines.
Since then, the botnet has evolved, gained new features, and changed its behavior. And recently we have seen increased activity, so we decided to take a look at one of the PowerShell scripts the botnet is using. The botnet operators are using different vulnerabilities to get a foothold inside a system.
A few of our Managed Security Services (MSS) analysts found PowerShell commands that looked like this:
An analysis of the script:
The $sys variable is assigned a random string of characters (digits and letters) to be used as the filename for the downloaded executable. The length of the string is randomly chosen between 6 and 12 characters.
The $dst variable is assigned the destination path for the downloaded executable, placing it in the user’s AppData directory with the randomly generated filename. The %Appdata% directory is a favorite hiding place for malware, since it is hidden by default.
The script also disables the Windows Firewall for all profiles, making it easier for the malware to communicate with its C2 servers and other malicious components without being blocked.
Here comes a fun part—which I’ll elaborate on further down—it looks for and stops processes likely associated with other cryptocurrency miners or competing malware.
Once the competition has been taken out, it downloads an executable file (sys.exe) from the specified C2 server URL ($cc) and saves it to the destination path ($dst) with the randomized name.
To ensure persistence, the script creates a scheduled task named BrowserUpdate that runs the downloaded executable every minute, and it adds a registry key to the user’s Run key, which will execute the malware every time the user logs in.
Killing the competition
As we pointed out, the script looks for processes that meet certain naming conditions and some that communicate on certain TCP ports, such as 3333 and 9000. It very much looks like the Sysrv botnet wants to eliminate the competition, to ensure exclusive access to system resources.
The script uses netstat to list all TCP connections and then iterates through the list to find connections on specific ports. If it finds any, it stops the corresponding processes.
Port 3333 is typically used by XMRig, an open-source cryptominer that cybercriminals use to mine cryptocurrency.
Port 9000 is often recommended for use in the supportxmr mining pool. A mining pool is a group of cryptocurrency miners who work together to increase their chances of success. Cybercriminals use mining pools to bundle their victim’s resources.
In this case, the script looks for processes that match the names network0*, *kthreaddi], kthreaddi, and sysrv*, but we have also seen examples with fewer wildcards and more specific script names.
For example, one we discovered specified network01, network001, network002, kthreaddi, sysrv, sysrv012, sysrv011, sysrv010, sysrv001, sysrv002, sysrv003, sysrv004, sysrv005, sysrv006, sysrv007, sysrv008, and sysrv009 maybe because they didn’t want to use wildcards.
Another looked for and stopped network0*, kthreaddi, sysrv, sysrv012, sysrv011, sysrv010, and sysrv00*.
Given that in the past we already had Sysrv-New and Sysrv-Hello, and the timing of our findings—all are active at the same time—we have to assume there are rival groups at play, and we found at least three of them. The first two Command and Control (C2) servers listed below are the most active, and “borrow” pieces of each other’s code. The third one has been around for quite some time and may be fighting to limit its loss in market share.
So, the question is: Are there competing botnets using the Sysrv malware or is there only one, which is replacing older versions that have fixed names with the latest variant that uses the random process name?
IOCs
C2 server IPs:
194.38.23.2
194.145.227.21
185.239.242.71
Filenames (old):
network01.exe, network001.exe, network002.exe, kthreaddi.exe, sysrv.exe, sysrv012.exe, sysrv011.exe, sysrv010.exe, sysrv001.exe, sysrv002.exe, sysrv003.exe, sysrv004.exe, sysrv005.exe, sysrv006.exe, sysrv007.exe, sysrv008.exe, and sysrv009.exe
Folder for randomly named executables:
%APPDATA%
ThreatDown detects the randomly renamed sys.exe files as Trojan.CoinMiner and blocks the C2 IP addresses.
Scheduled Tasks:
BrowserUpdate
Browser2Update (old)
Full Research: https://www.threatdown.com/blog/sysrv-cryptomining-botnet-is-still-alive-and-kicking-out-the-competition/