Clever Geek Handbook

Malicious Sustes has been updated and is now spreading through Exim's vulnerability (CVE-2019-10149)





The malware Sustes has been updated and is now spreading through the vulnerability in Exim (CVE-2019-10149).



A new wave of crypto miner Sustes now uses the June vulnerability in Exim mail server for infections. Starting on August 11, our PT Network Attack Discovery network sensors detect attempts to operate mail servers in incoming network traffic.



Scanning takes place from the address 154.16.67 [.] 133, and the command in the RCPT TO field loads the malicious bash script at the address hxxp: //154.16.67 [.] 136 / main1. A chain of scripts results in installing an XMR miner on the host and adding it to crontab. The script adds its public SSH key to the authorized_keys list of the current user, which will allow attackers to gain passwordless SSH access to the machine in the future.



Additionally, Sustes is trying to propagate to other hosts from the known_hosts list over SSH; it is expected that they are automatically connected to them using the public key. The infection process is repeated again on available SSH hosts.







There is another way of distribution. Sustes executes a chain of Python scripts, the last of which - hxxp: //154.16.67 [.] 135 / src / sc - contains a random Redis server scanner that also adds itself to crontab for autorun and its key to the list of trusted SSH- keys on vulnerable Redis servers: 



x = s2.connect_ex((self.host, 6379)) … stt2=chkdir(s2, '/etc/cron.d') rs=rd(s2, 'config set dbfilename crontab\r\n') rs=rd(s2, 'config set dbfilename authorized_keys\r\n') stt3=chkdir(s2, '/root/.ssh')


Getting rid of the malware Sustes is quite simple: delete the malicious files and scripts with the names from the list below, and also clean the crontab and known_hosts files from the malicious entries. Sustes exploits other vulnerabilities to infect, for example, a vulnerability in the Hadoop YARN ResourceManager, or uses account brute force.



IoCs:

Filenames:



/etc/cron.hourly/oanacroner1

/etc/cron.hourly/cronlog

/etc/cron.daily/cronlog

/etc/cron.monthly/cronlog

sustse

.ntp

kthrotlds

npt

wc.conf



Urls:



hxxp: //154.16.67.135/src/ldm

hxxp: //154.16.67.135/src/sc

hxxp: //107.174.47.156/mr.sh

hxxp: //107.174.47.156/2mr.sh

hxxp: //107.174.47.156/wc.conf

hxxp: //107.174.47.156/11

hxxp: //154.16.67.136/mr.sh

hxxp: //154.16.67.136/wc.conf



Custom Monero Pools



185.161.70.34{333

154.16.67.133:80

205.185.122.99haps333



Wallet



4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg



SSH Public key



AAAAB3NzaC1yc2EAAAADAQABAAAsdBAQC1Sdr0tIILsd8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx AHyvBL8jDZDJ6fuVwEB aZ8bl / pA5qhFWRRWhONLnLN9RWFx / 880msXITwOXjCT3Qa6VpAFPPMazJpbppIg LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q / IQQa9VLlX4cSM4SifM / ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH



MD5



95e2f6dc10f2bc9eecb5e29e70e29a93

235ff76c1cbe4c864809f9db9a9c0c06

e3363762b3ce5a94105cea3df4291ed4

e4acd85686ccebc595af8c3457070993

885beef745b1ba1eba962c8b1556620d

83d502512326554037516626dd8ef972



Script Files:

Main1 pastebin.com/a2rgcgt3

Main1 py snippet pastebin.com/Yw2w6J9E

src / sc pastebin.com/9UPRKYqy

src / ldm pastebin.com/TkjnzPnW


More articles:


All Articles