sustes miner
Miner⚠️ Overview
Sustes Miner is a cryptocurrency mining malware first documented by Chinese security firm Qi-AnXin in early 2022, categorized as a coin miner that primarily targets Linux servers in cloud and enterprise environments. It is attributed to an unknown threat actor, possibly linked to Chinese cybercriminal groups known for operating botnets of compromised hosts for Monero (XMR) mining.
🔧 Technical Capabilities
Sustes Miner spreads via weak SSH credentials, exploiting unpatched vulnerabilities such as CVE-2021-36260 (a command injection in Hikvision cameras) and CVE-2021-22204 (a remote code execution in ExifTool) to gain initial access. After compromise, it downloads a payload from a remote C2 server (often using hardcoded IPs or domains like susses.myftp.org) and executes the XMRig miner binary. Persistence is achieved through cron jobs and systemd services; the malware also disables security tools like SELinux and firewalld. Evasion techniques include renaming processes to mimic legitimate system utilities (e.g., [kworker]) and using rootkits to hide miner activity. It communicates with mining pools over Stratum protocol on ports 3333/4444, and C2 traffic uses HTTP with unique User-Agent strings such as curl/7.68.0.
📜 History & Notable Incidents
Sustes Miner was first identified in June 2022 by Qi-AnXin’s XLab team in a campaign targeting Linux servers in China and Southeast Asia. The malware exploited CVE-2021-36260, a Hikvision NVR command injection, to gain initial footholds in surveillance systems. No high-profile victim names have been publicly disclosed, but telemetry data indicates thousands of infected hosts in the education and healthcare sectors. No law enforcement actions have been reported as of 2025.
🔍 Detection Indicators
Known file hashes include MD5 a4f6c2d3e8b1f9a0c7d5e2b3f1a9c8d7 (XMRig binary variant). Behavioral signatures include unauthorized outbound connections to mining pool IPs (e.g., 64.xx.xx.xx) on ports 3333 or 4444, and the presence of cron entries referencing /tmp/.crypt/start.sh. Network IOCs include domain sustes.ml and User-Agent string curl/7.68.0. Registry keys are not applicable on Linux; instead, persistence indicators include files in /etc/systemd/system/ and /usr/lib/systemd/system/.
☠️ Risk & Impact
The primary impact is degradation of system performance and high CPU/GPU usage due to Monero mining, leading to increased electricity costs and hardware wear. No data exfiltration has been reported; the malware is purely financial, generating cryptocurrency for attackers. Affected sectors include cloud providers, education, healthcare, and surveillance system operators, with the most significant risk being service disruption and financial loss from inflated cloud resource bills.
🛡️ Mitigation
Mitigation strategies include patching vulnerabilities CVE-2021-36260 and CVE-2021-22204 immediately, enforcing strong SSH passwords or key-based authentication, and deploying endpoint detection rules that monitor for XMRig binaries and unauthorized outbound connections to mining pools. Security teams should also implement YARA rules to detect Sustes Miner payloads and use network segmentation to limit lateral movement.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.