György Lupták
Last known affiliation: CUJO AI
Bio: György Lupták is a Junior Threat Researcher at CUJO AI. He graduated with honors from the Budapest University of Technology and Economics in 2022 with a Master’s degree in Computer Engineering, specializing in Infocommunications Services and IT Security. At university, he detected anomalies in vehicular networks and co-authored a paper in this field. Lately, he has been focusing on threat intelligence and IoT botnets in particular. He is an average public transport enjoyer, loves history and historical grand strategy games, and is a big fan of classical music.
György Lupták 🗣 | Dorka Palotay 🗣 | Albert Zsigovits
Abstract (click to view)
Sysrv-hello, or shortly Sysrv, is a botnet, which was first discovered in late December of 2020. The malware is written in Golang and targets both Linux and Windows endpoints. Based on its propagation style, it is a malicious worm, with one end-goal in mind: to spread and mine the Monero cryptocurrency. It targets vulnerable Windows and Linux-based servers using numerous exploits.
We have closely followed the development of the Sysrv botnet from the defender’s perspective and gained insights into its operation. The botnet is still active as of today and new variants are released every couple of days, introducing either a new mining pool or an added feature. In this presentation, we would like to share our general findings of the botnet and shed some light on the development cycle of the Sysrv family. We will go into details like propagation methods, utilized exploits, the evolution of first-stage scripts, and the overall development of the malicious binary.
For our analysis, we used the Ghidra reverse engineering framework and simultaneously developed many custom scripts to aid in our Go binary analysis. We will share these scripts during our talk and explain how the Sysrv botnet helped us improve our malware-fighting toolset.
