CryptoSink Description

In 2019 malware researchers uncovered an illicit cryptocurrency mining campaign named CryptoSink. The attackers appear to exploit a known vulnerability to compromise the targeted systems. The exploit used in the CryptoSink operation is called ‘CVE-2014-3120,’ and it is related to an older version of the Elasticsearch application. The program in question is compatible with Windows and Linux systems. Due to this fact, the operators of the CryptoSink campaign have made their threat compatible with both operating systems.

Gaining Persistence

To compromise the targeted system, the CryptoSink threat will inject a modified variant of the infamous XMRig cryptocurrency miner. Depending on whether the threat is deployed on a Windows or a Linux system, it will gain persistence on the host differently. To gain persistence on a Windows computer, the CryptoSink threat would use several basic tricks. However, when the CryptoSink threat compromises a Linux system, it will have to utilize much more complex techniques to gain persistence. As soon as the CryptoSink malware manages to infect a Linux system, it will fetch several corrupted payloads that will help the attackers get backdoor access to the machine. The CryptoSink threat also is reported to modify the ‘rm’ command, which means that every time this command, in particular, is used, the CryptoSink malware will be executed. This way, even if the user removes the files linked to the CryptoSink malware activity, as soon as they use the ‘rm’ command, the threat will be redeployed.

Removing Competitors

The miner is designed to mine for the Monero cryptocurrency. The CryptoSink threat is also capable of detecting whether there is another cryptocurrency miner present on the infected computer. If there are any competing miners detected, the CryptoSink threat will attempt to halt their activities. However, the CryptoSink malware does not simply remove other miners that may have compromised the system; it makes sure that if the system tries to connect to a pre-configured list of mining pools, the traffic will be redirected to ‘’ immediately. This prevents the competing miners from connecting to their pre-determined mining pool.

The CryptoSink operation is very advanced, and removing the miner from a compromised host can prove to be rather challenging. Make sure to have a genuine anti-malware solution installed that will aid you in the removal of the CryptoSink threat.

Do You Suspect Your PC May Be Infected with CryptoSink & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like CryptoSink as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.