The Sustes malware is a custom virus that was recently discovered in a global infection. It infects via a unique mechanism and is designed to load a cryptocurrency miner infection onto the target systems. At the moment the made impact cannot be determined.
The Custom Sustes Malware Infects Servers With Miner Code
A recently published security report has revealed a new threat identified as the Sustes malware. It is of interest by the specialists as Sustes is entirely custom made by an unknown hacker or criminal collective. What’s particularly interesting about it is the way it is distributed — it doesn’t infect directly via a worm or a direct injection. The victim hosts so far showcase that the targets are mainly Linux and IoT servers. The infection happens through exploitation and brute force attempts of servers. A script is being launched which will drop and execute other software including a dropper.
The procedure launches a complex behavior pattern:
- The first actions are related to a stealth protection technique. It will scan for applications and services that may be found on the target systems. Using application signatures the malicious engine will identify if such software is installed.
- Network connections will be evaluated and those connecting to specific addresses will be killed.
- When these two commands have been complete the payload dropper will be initiated and download the Sustes malware to the target hosts.
- A cron tab will be set up to periodically execute malware code.
The custom Sustes malware will download a configuration file from a remote server featuring several wallet addresses. This is part of the cryptocurrency miner deployment process which will install a Monero-based application. The analysis of the addresses has lead the security analysts into believing that that the pools and proxies have been deployed by the hackers as well.
The name Sustes comes from the process name which is a renamed and customized version of a popular miner used by ordinary computer users. It will follow the same mode of operations as other related malware by taking advantage of the available system resources in order to carry out complex calculations. When they are reported the results will be reported to the pools which will reward digital currency (in the form of Monero tokens) to the operators.
The dangerous characteristic is the fact that an estimate of the infected computers cannot be made at this time. The only way to prevent the infiltrations is to strengthen the network security of the Linux and IoT servers exposed in public. It is very possible that further attacks will be carried out with other distribution tactics.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
just picked it up on a raspberry pi running Node-Red…
completely my fault
hey Trevor, what happened?