Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems.
Microsoft researchers spotted a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for WordPress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software tagged as CVE-2022-22947.
The flaw affected VMware’s Spring Cloud Gateway and Oracle’s Communications Cloud Native Core Network Exposure Function and was given a critical rating by both firms.
Sysrv-K can can gain control of web servers, Microsoft Security Intelligence warned. The botnet scans the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads and remote code execution. Once the malware is running on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.
Sysrv-K contains new features from older variants. Juniper in April 2021 reported Sysrv was bundled with exploits for six RCE vulnerabilities affecting installations of MongoDB’s Mongo Express admin interface, the ThinkPHP PHP framework, the Drupal CMS, VMware-owned SaltStack, and the XXL-JOB and