Sysrv-hello, a New Botnet That Mines Cryptocurrencies

On many occasions, hackers take advantage of security flaws in computers to carry out their attacks. This is what happens with the new botnet that seeks to mine cryptocurrencies on both Windows and Linux systems. It scans for vulnerabilities to achieve its goal. It’s about Sysrv-hello and it was discovered by Alibaba Cloud.

Sysrv-hello, a botnet that looks for vulnerabilities in Windows or Linux

Hidden cryptocurrency mining is a problem to take into account, since it can take our equipment to the extreme and affect not only performance, but also hardware components. It is a type of threat that in recent years has increased considerably due to the rise of digital currencies.


After all, hackers are looking for a way to profit. They create new attack techniques , look for flaws that can exploit and ultimately infect victims’ computers. With Sysrv-hello they manage to sneak a botnet to mine cryptocurrencies on both Windows and Linux. Specifically, it is in charge of mining Monero, one of the most popular cryptocurrencies.

This botnet was discovered for the first time in February, but it has been active since December 2020. It was in March that it had a significant increase in activity. Currently it has been updated to be able to use a single binary capable of automatically extracting and sneaking malware onto other devices.

How does Sysrv-hello work? Basically what it does is scan the Internet for vulnerable computers. This way it could infect those systems and introduce its army of botnets and start mining Monero .

According to security researchers, they are based on vulnerabilities found in remote code execution in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts.

It should be borne in mind that once it has managed to hack the server, this malware is capable of spreading through the network through brute force attacks using SSH private keys that it collects from infected servers.

There have been mainly six exploited vulnerabilities, which are as follows:

  • Mongo Express RCE (CVE-2019-10758)
  • XML-RPC (CVE-2017-11610)
  • Saltstack RCE (CVE-2020-16846)
  • Drupal Ajax RCE (CVE-2018-7600)
  • ThinkPHP RCE (without CVE)
  • XXL-JOB Unauth RCE (without CVE)

Aumento de botnets y exploits

How to protect ourselves from cryptocurrency mining

We have seen how this new botnet is capable of infecting Windows or Linux systems to carry out its attacks and mine cryptocurrencies. However, we can run into similar threats that our team can take advantage of to achieve their goal. Avoiding botnet attacks is something that we must bear in mind.

Without a doubt, the most important thing to avoid being victims of this problem is to have updated equipment . We have seen that in this case you need vulnerable systems, without updating. Therefore, the main advice is to always keep the equipment updated. It does not matter what operating system we are using.

It is also going to be important to have security programs . A good antivirus can help avoid many varieties of malicious software that could compromise us in one way or another. It is essential to apply this no matter what operating system we are using.

But another fundamental issue is common sense . We must avoid making mistakes that can be exploited by hackers and put our computers at risk. For example, it would be a mistake to download programs from third-party sites without verifying whether they are legitimate, download attachments that may be dangerous, or log in to an insecure network.