New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

Researchers uncovered a new Sysrv botnet variant that uses compromised sites — including a Google Sites subdomain — to host an encoded ELF which decodes into an XMRig Monero miner. The campaign’s dropper script (ldr.sh) disables defenses, propagates via SSH, and deploys an obfuscated, UPX-packed Golang binary that persists by dropping copies and running a listener. #Sysrv #XMRig

Keypoints

New Sysrv variant uses compromised legitimate websites (including a Google Sites subdomain) to host an encoded, packed ELF payload that decodes into an XMRig miner.
The initial dropper script (ldr.sh) sets download variables, provides a get function, downloads the second-stage binary, and executes it.
The dropper disables endpoint protections and prior cryptomining processes, searches for SSH hosts/keys, and attempts lateral propagation via SSH.
The dropper includes routines to prepare different CPU architectures before deploying the miner.
The second-stage is a statically linked, stripped Golang binary packed with UPX and obfuscated to hinder static recovery tools.
The Golang binary drops multiple ELF copies for persistence, starts a listener, and the unpacked XMRig connects to gulf.moneroocean.stream:10128 (and proxy 109.123.233.251:443) using a specific Monero wallet.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Exploited known web vulnerabilities in Apache Struts and Atlassian Confluence: ‘attempted to exploit multiple known web vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084)’.
[T1189] Drive-by Compromise – Used a compromised legitimate site to host malicious files: ‘The perpetrators of this iteration of the sysrv botnet campaign appear to have compromised the site to host their malicious files.’
[T1105] Ingress Tool Transfer – Retrieved and executed a second-stage ELF from remote hosting (Google Sites): ‘the malware reaches out to sites.google.com to retrieve an encoded and packed ELF binary.’
[T1021] Remote Services – Propagated to other hosts using SSH after searching for hosts and keys: ‘The script then performs a recursive search for SSH hosts and keys, and attempts to propagate the script on other hosts using SSH.’
[T1562.001] Disable or Modify Tools – Killed processes and uninstalled software related to endpoint protection and prior malware: ‘the script executes various commands to kill processes and uninstall programs related to both endpoint protection and previous malware infections.’
[T1543] Create or Modify System Process – Achieved persistence by dropping multiple ELF copies and starting a listener on the infected host: ‘the binary drops multiple copies of the same ELF file in various places in the file system, and also starts a listener on the infected host’.
[T1027] Obfuscated Files or Information – Employed obfuscation in the Golang binary to thwart static recovery tools: ‘the use of obfuscation in the golang binary, meaning that efforts to recover the file structures using known tools such as GoReSym or redress were no longer effective.’

Indicators of Compromise

[URLs] Dropper and mining endpoints – hxxps://sites.google[.]com/view/osk05/osk/E, hxxps://gulf.moneroocean[.]stream:10128, and other 5 items.
[IP addresses] Hosting and proxy endpoints – 92.60.39[.]76 (dropper host), 109.123.233[.]251 (mining pool proxy).
[File hashes] Malware samples – 6fb9b4dced1cf53a9… (ldr.sh dropper), 74d22338e9b71cef… (XMRig packed), and 4 more hashes.
[File names] Primary scripts/binaries – ldr.sh (dropper), cron (ELF binary/miner).
[Wallet] Monero mining wallet – 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK (associated with mining activity).
[Domains/Platforms] Compromised hosting – a redacted Malaysian academic domain (DSpace/JSPUI) and sites.google[.]com/view/osk05/osk used to deliver encoded payloads.

The technical infection chain begins with a dropper script (ldr.sh) that sets variables for the command-and-control/download host, defines a get function for fetching files, and uses those to retrieve a second-stage binary. Before executing the payload, the script runs commands to terminate existing cryptominer processes and disable endpoint protection or scanning tools, then performs a recursive search for SSH hosts and private keys and attempts lateral movement by copying and executing itself over SSH. The dropper also contains architecture-detection and preparation routines to ensure the miner will run across different CPU types.

Once executed, the second-stage is a statically linked, stripped Golang binary packed with UPX and obfuscated to impede static analysis. Dynamically, the binary requests an encoded, packed ELF from a Google Sites URL, decodes and unpacks that content, and reveals an XMRig miner. The binary installs persistence by dropping multiple copies of the ELF across the filesystem and starting a listener process, while the miner connects to mining endpoints (gulf.moneroocean.stream:10128 and proxy 109.123.233.251:443) using a hardcoded Monero wallet.

Key defensive signals to monitor include network requests to the listed URLs/IPs, execution and creation of ldr.sh or cron ELF artifacts, unexpected attempts to kill security-related processes, abnormal SSH file transfers or authentication attempts, and the presence of UPX-packed Golang binaries that exhibit decoding/unpacking behavior. Capture and analyze these files dynamically where possible to extract the embedded ELF and miner configuration (pool and wallet) for further hunting and blocking.