Last known affiliation: CUJO AI
Bio: Dorka has a Bachelor’s degree in applied mathematics. She continued her studies in the field of security and privacy, where she gained her Master’s degree in computer science specializing in advanced cryptography. She started her career at Sophos, mainly focusing on ransomware analysis, but as a member of the Emerging Threats team, she had the opportunity to gain experience in reverse engineering a wide range of malware attacks. Before joining CUJO AI she was working in the financial industry as an IT security analyst, focusing on threat hunting and forensics investigations. Currently, she is working at CUJO AI as a Senior Threat Researcher focusing on reverse engineering IoT malware.
György Lupták 🗣 | Dorka Palotay 🗣 | Albert Zsigovits
Abstract (click to view)
Sysrv-hello, or shortly Sysrv, is a botnet, which was first discovered in late December of 2020. The malware is written in Golang and targets both Linux and Windows endpoints. Based on its propagation style, it is a malicious worm, with one end-goal in mind: to spread and mine the Monero cryptocurrency. It targets vulnerable Windows and Linux-based servers using numerous exploits.
We have closely followed the development of the Sysrv botnet from the defender’s perspective and gained insights into its operation. The botnet is still active as of today and new variants are released every couple of days, introducing either a new mining pool or an added feature. In this presentation, we would like to share our general findings of the botnet and shed some light on the development cycle of the Sysrv family. We will go into details like propagation methods, utilized exploits, the evolution of first-stage scripts, and the overall development of the malicious binary.
For our analysis, we used the Ghidra reverse engineering framework and simultaneously developed many custom scripts to aid in our Go binary analysis. We will share these scripts during our talk and explain how the Sysrv botnet helped us improve our malware-fighting toolset.