CryptoSink

By GoldSparrow in Malware

Translate To:

In 2019 malware researchers uncovered an illicit cryptocurrency mining campaign named CryptoSink. The attackers appear to exploit a known vulnerability to compromise the targeted systems. The exploit used in the CryptoSink operation is called ‘CVE-2014-3120,’ and it is related to an older version of the Elasticsearch application. The program in question is compatible with Windows and Linux systems. Due to this fact, the operators of the CryptoSink campaign have made their threat compatible with both operating systems.

Gaining Persistence

To compromise the targeted system, the CryptoSink threat will inject a modified variant of the infamous XMRig cryptocurrency miner. Depending on whether the threat is deployed on a Windows or a Linux system, it will gain persistence on the host differently. To gain persistence on a Windows computer, the CryptoSink threat would use several basic tricks. However, when the CryptoSink threat compromises a Linux system, it will have to utilize much more complex techniques to gain persistence. As soon as the CryptoSink malware manages to infect a Linux system, it will fetch several corrupted payloads that will help the attackers get backdoor access to the machine. The CryptoSink threat also is reported to modify the ‘rm’ command, which means that every time this command, in particular, is used, the CryptoSink malware will be executed. This way, even if the user removes the files linked to the CryptoSink malware activity, as soon as they use the ‘rm’ command, the threat will be redeployed.

Removing Competitors

The miner is designed to mine for the Monero cryptocurrency. The CryptoSink threat is also capable of detecting whether there is another cryptocurrency miner present on the infected computer. If there are any competing miners detected, the CryptoSink threat will attempt to halt their activities. However, the CryptoSink malware does not simply remove other miners that may have compromised the system; it makes sure that if the system tries to connect to a pre-configured list of mining pools, the traffic will be redirected to ‘127.1.1.1’ immediately. This prevents the competing miners from connecting to their pre-determined mining pool.

The CryptoSink operation is very advanced, and removing the miner from a compromised host can prove to be rather challenging. Make sure to have a genuine anti-malware solution installed that will aid you in the removal of the CryptoSink threat.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

CryptoSink

Gaining Persistence

Removing Competitors

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen