VERY IMPORTANT

Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads. The malware is equal parts XMRig cryptominer and aggressive botnet-propagator. The propagator leverages MySQL and Tomcat brute forcing (T1110) along with a suite of exploits including those for Atlassian and Apache. The malware also leverages several “No CVE” command execution techniques including those for Jupyter notebook and Tomcat Manager. First documented in early February by Aliyun as “Sysrv-hello”, the sysrv-hello botnet has since expanded with regards to the volume of specimens and C2 infrastructure.