The Sysrv-hello Cryptojacking Botnet: Here's What's New

The Sysrv-hello Cryptojacking Botnet: Here's What's New

Cryptojacking botnets can earn their operators millions by discretely stealing CPUs on infected machines to mine coins, especially with the sky-high value of today's cryptocurrencies. Sysrv-hello, a cryptojacking botnet first identified by Alibaba Cloud Security in late December 2020, is another of these money-making malware variants. 


The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. 


Like many of the threat actor tools we've covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. 


Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. There have also been incremental changes in how the executable gets deployed on host systems. In our latest threat intel analysis, RiskIQ researchers have identified one of its latest developments, including the use of drive-by downloads and two new Monero wallets. 


Evolution of ldr.sh Shell Script


The latest iteration of Sysrv-hello is deployed via drive-by-downloads from an empty iframe that points to an executable that will download to the host system when a user visits that web page. The iframe was set up via a Python script.


Most observed versions of Sysrv-hello are deployed via shell script. On Linux systems, the host is initially infected with the bash script before downloading the second stage ELF binary. You can see the list of files as observed by RiskIQ, many not previously reported on in open source, by visiting our complete analysis article in the Threat IntelligencePortal. 


The first shell scripting file had more basic functionality than later observed files. Its functions included killing prior versions of Sy ..

Support the originator by clicking the read the rest link below.