Malicious Sustes has been updated and is now spreading through Exim's vulnerability (CVE-2019-10149)

The malware Sustes has been updated and is now spreading through the vulnerability in Exim (CVE-2019-10149).

A new wave of crypto miner Sustes now uses the June vulnerability in Exim mail server for infections. Starting on August 11, our PT Network Attack Discovery network sensors detect attempts to operate mail servers in incoming network traffic.

Scanning takes place from the address 154.16.67 [.] 133, and the command in the RCPT TO field loads the malicious bash script at the address hxxp: //154.16.67 [.] 136 / main1. A chain of scripts results in installing an XMR miner on the host and adding it to crontab. The script adds its public SSH key to the authorized_keys list of the current user, which will allow attackers to gain passwordless SSH access to the machine in the future.

Additionally, Sustes is trying to propagate to other hosts from the known_hosts list over SSH; it is expected that they are automatically connected to them using the public key. The infection process is repeated again on available SSH hosts.



There is another way of distribution. Sustes executes a chain of Python scripts, the last of which - hxxp: //154.16.67 [.] 135 / src / sc - contains a random Redis server scanner that also adds itself to crontab for autorun and its key to the list of trusted SSH- keys on vulnerable Redis servers:

x = s2.connect_ex((self.host, 6379)) … stt2=chkdir(s2, '/etc/cron.d') rs=rd(s2, 'config set dbfilename crontab\r\n') rs=rd(s2, 'config set dbfilename authorized_keys\r\n') stt3=chkdir(s2, '/root/.ssh') 

Getting rid of the malware Sustes is quite simple: delete the malicious files and scripts with the names from the list below, and also clean the crontab and known_hosts files from the malicious entries. Sustes exploits other vulnerabilities to infect, for example, a vulnerability in the Hadoop YARN ResourceManager, or uses account brute force.