Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems.
Microsoft researchers spotted a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for Wordpress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software tagged as CVE-2022-22947.
The flaw affected VMware's Spring Cloud Gateway and Oracle's Communications Cloud Native Core Network Exposure Function and was given a critical rating by both firms.
SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web
Sysrv-K can can gain control of web servers, Microsoft Security Intelligence warned. The botnet scans the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads and remote code execution. Once the malware is running on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.
Sysrv-K contains new features from older variants. Juniper in April 2021 reported Sysrv was bundled with exploits for six RCE vulnerabilities affecting installations of MongoDB's Mongo Express admin interface, the ThinkPHP PHP framework, the Drupal CMS, VMware-owned SaltStack, and the XXL-JOB and XML-RPC projects. It also had exploits exploits for PHP framework Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, JBoss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and Wordpress.
The malware's two functions were to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner to mine Monero. But Microsoft warns it can now also capture database credentials to control an infected web server.
"A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot," Microsoft Security Intelligence said.
"Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet," it added.
Microsoft warned organizations to secure internet-facing systems, apply security updates and protect credentials.