Sysrv-Hello Botnet Rounding up WordPress Pods in Crypto-Miner Attack

Threat actors attack Kubernetes clusters for cryptomining; this time, the victims are WordPress users.

Sept. 3, 2021, 10:47 p.m.

TL;DR

Sysdig Security researchers, on August 26, 2021, released a report underlying malicious activity involving Kubernetes clusters. The attackers were reported to have been deploying Sysrv-Hello Botnet in WordPress pods.

Mining cryptocurrency individually is a very unproductive task.

Key Facts

1
The most recent case of botnet malware has been the Sysrv-Hello botnet.
2
Attackers earned initial access through misconfigured WordPress pods.
3
They (hackers) have been very elusive.
4
Their ultimate goal is to invade the system and mine cryptocurrency at scale.
5
The Sysrv-hello operators are actively updating configurations to match new developments.

Details

The Botnet cryptojacking attacks have been ravaging the internet since the beginning of last year. The word, Botnet, has enjoyed quality time on many headlines, with its different variants been paired with words like crypto-mining or cryptojacking. In this equally increasingly popular exercise, Kubernetes clusters have been targeted due to misconfigured Argo workflows or misconfiguration in CI/CD pipelines. These actors are always on the lookout for the slightest of weakness in a bid to strike, compromise systems, perform the mining exercise, and replicate the compromised systems. Their obfuscation tactics are not always topnotch but enough to buy ample time to complete a stretched and scaled cryptojacking activity. Mining cryptocurrency individually is a very unproductive task. Hence, they tend to compromise systems, take control of user profiles, and mine crypto at scale with the help of a crypto miner. In this case, it is a Botnet - the Sysrv-Hello Botnet.

Though the attackers have not been identified, their operation is in the air and has been brought to WordPress's attention, thanks to the research wing of the SaaS platform founded in 2013, Sysdig. The attackers have been planting the Sysrv-hello Botnet cryptominer in Kubernetes pods running WordPress. As said earlier, the goal is to control the pod, mine cryptocurrency at scale, and replicate themselves from compromised systems to keep their activities on a low profile.

Another borderline fact about this attack is using an attack script unfamiliar with malware databases, making it very elusive for security software. Only a few people have detected irregularities relating to these attacks. The Sysrv-hello botnet, initially discovered in late December 2020, is a Windows and Linux virus that leverages numerous vulnerabilities and is spread using shell scripts.

To match recent developments, Sysrv-operators are continually updating and altering the botnet. Since the first discovery, attackers have made many changes to the shell scripts that install Sysrv-hello implant on host systems, which is how the executable malware is distributed.