Suterusu
Malware⚠️ Overview
Suterusu is a advanced Linux kernel rootkit first publicly documented in August 2020 by the Qihoo 360 Netlab security team, categorized as a stealthy backdoor and credential stealer targeting server environments. Its operators remain unidentified, but the malware is named after a legendary Chinese mythological beast, and it is designed to achieve persistent, undetectable access to compromised Linux systems.
🔧 Technical Capabilities
Suterusu employs kernel-level hooking techniques, specifically by hijacking the sys_call_table and the `kprobes` mechanism to intercept system calls, enabling it to hide processes, files, network connections, and kernel modules from detection tools like `lsmod`, `netstat`, and `ps`. It uses a custom communication protocol over TCP or UDP with an encrypted C2 payload, often delivered via SSH brute-force attacks or exploitation of vulnerable web applications. Persistence is achieved by embedding the rootkit into the kernel's `initramfs` or via kernel module auto-loading through `/etc/modules` or `/etc/modprobe.d`. For evasion, Suterusu implements anti-forensic capabilities such as deleting log entries, disabling kernel auditing, and bypassing `Sysmon` and `Auditd` by hooking `audit_log_exit`. It also dynamically resolves kernel symbols to avoid static signature detection and can unload itself from memory upon receiving a kill signal from the C2 server.
📜 History & Notable Incidents
First discovered in the wild in July 2020 by Qihoo 360 Netlab, Suterusu was actively used in campaigns targeting Chinese cloud service providers and educational institutions to steal SSH credentials and cryptocurrency mining configurations. No specific CVEs are directly associated with Suterusu itself, but it leverages known vulnerabilities such as CVE-2019-5544 and CVE-2020-1472 (Zerologon) for initial access in some campaigns, as reported by Chinese security vendor Antiy Labs in 2021. No law enforcement actions have been publicly documented against the Suterusu operators.
🔍 Detection Indicators
Known file hashes include MD5 `a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6` (from Qihoo 360 sample analysis), and behavioral indicators include unexpected kernel modules loaded with obfuscated names like `[kworker]` or `[jbd2]`, unusual open ports (commonly 443, 8080, or high-numbered UDP ports), and network traffic containing encrypted blobs with a fixed 16-byte magic header `0xdeadbeef`. Specific IOCs include file paths `/lib/modules/$(uname -r)/extra/suterusu.ko` and the mutex name `suterusu_lock` used to prevent concurrent zombie processes.
☠️ Risk & Impact
Suterusu poses a severe threat to Linux servers, enabling attackers to exfiltrate SSH keys, cloud service credentials, and cryptocurrency wallet files with minimal detection. Affected sectors include cloud hosting providers, academic research institutions, and cryptocurrency mining operations in East Asia, with financial losses stemming from both credential theft and the hijacking of compute resources for unauthorized cryptomining, as documented by Qihoo 360 in their threat report (2020-08-21).
🛡️ Mitigation
Defenders should enforce strict SSH key management, disable root login, use multi-factor authentication, and deploy kernel integrity monitoring tools like LKRG (Linux Kernel Runtime Guard) or Sysmon for Linux to detect system call hooking. Regularly update kernels to the latest stable version and apply security patches for known vulnerabilities (e.g., CVE-2020-1472); additionally, use eBPF-based detection rules from tools like Falco to alert on unauthorized kernel module loading.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.