Sysrv-hello, or shortly Sysrv, is a botnet, which was first discovered in late December of 2020. The malware is written in Golang and targets both Linux and Windows endpoints. Based on its propagation style, it is a malicious worm, with one end-goal in mind: to spread and mine the Monero cryptocurrency. It targets vulnerable Windows and Linux-based servers using numerous exploits.

We have closely followed the development of the Sysrv botnet from the defender’s perspective and gained insights into its operation. The botnet is still active as of today and new variants are released every couple of days, introducing either a new mining pool or an added feature. In this presentation, we would like to share our general findings of the botnet and shed some light on the development cycle of the Sysrv family. We will go into details like propagation methods, utilized exploits, the evolution of first-stage scripts, and the overall development of the malicious binary.

For our analysis, we used the Ghidra reverse engineering framework and simultaneously developed many custom scripts to aid in our Go binary analysis. We will share these scripts during our talk and explain how the Sysrv botnet helped us improve our malware-fighting toolset.