Cryptocurrencies have become increasingly mainstream in recent years, and opportunistic threat actors have not been slow to cash in.

Long before the peak values recorded in 2021, Darktrace reported on the close relationship between the value of cryptocurrency and the prevalence of malicious crypto-mining activity, commonly referred to as ‘crypto-jacking’. Since then, we have reported crypto-jacking from botnets, rogue insiders, compromised IoT devices, and even as a precursor to ransomware.

Now, the Darktrace SOC team reports on how the prolific Sysrv botnet is evolving to evade traditional cyber defenses in order to mine cryptocurrency on vulnerable Internet-facing machines. By pivoting to Pastebin for command and control infrastructure, the malware is better able to remain hidden from tools using signature-based threat detection.

Recently, however, Darktrace AI was able to identify a server compromised by Sysrv despite it being a pre-existing infection. Darktrace autonomously grouped the server into a ‘peer group’ of similar devices, recognizing the behavior as anomalous in comparison to the wider group. The same technique was used to find a pre-existing Trojan hiding in an energy grid in 2020.

Evolution of the Sysrv botnet

The Sysrv botnet has a rich history in adapting new techniques in order to remain relevant. When the botnet was first identified in early 2020, it made its name for its use of the GO language (‘Golang’). It allowed the malware authors to target multiple operating systems. While financially motivated cyber criminals have traditionally targeted the widely used Windows OS, the proliferation of IoT devices using Linux OS has made them an attractive target, especially for those looking to make a quick buck from crypto-mining.

More recent Sysrv variants have come equipped with a host of exploits, ready to make the most of the diverse set of security holes it may encounter. Many are added to the malware’s tool kit just days after the public release of a new vulnerability, demonstrating the sophistication of the attackers.

The botnet has also proven adaptable in which cryptocurrency it chooses to mine. The bots switched to Nano in 2021 during the currency’s boom in value, but more recently reverted to Monero. Monero is a mainstream cryptocurrency and, similar to Bitcoin, is expected to hold its value better than other currencies in the notoriously volatile crypto markets. Monero mining also has a technical advantage, in that it runs efficiently on CPUs. Other cryptocurrencies prefer GPUs and ASICs, which are unlikely to be found in the server environments targeted by Sysrv.

The storyline of botnet malware such as Sysrv over the last few years shows the sophistication and creativity of cyber criminals out to cash in on crypto. These advancements and adaptations will continue to surface, but with the upcoming launch of Darktrace Prevent, defenders can prepare their organizations against the most sophisticated attacks.

With Darktrace Attack Surface Management, organizations discover potential weak points in their exposed environments, and take action before attackers can. In the case of the Sysrv botnet, which preys on vulnerable Internet-facing machines, Attack Surface Management will be able to identify machines and proactively harden defenses before an attack like Sysrv could strike.

Darktrace Attack Surface Management forms just one part of Darktrace Prevent, a product family that also empowers defenders to model likely attack paths, intelligently prioritize vulnerabilities, simulate attacks, and more.

Insights gained are then fed into Darktrace’s Detect and Respond capabilities, hardening defenses and protecting organizations from the full range of cyber-threats – from crypto-jacking and supply chain compromise to phishing and spoofing attacks.

Sysrv-hello botnet infection discovery: Read the technical deep-dive