In 2019 malware researchers uncovered an illicit cryptocurrency mining campaign named CryptoSink. The attackers appear to exploit a known vulnerability to compromise the targeted systems. The exploit used in the CryptoSink operation is called ‘CVE-2014-3120,’ and it is related to an older version of the Elasticsearch application. The program in question is compatible with Windows and Linux systems. Due to this fact, the operators of the CryptoSink campaign have made their threat compatible with both operating systems.
To compromise the targeted system, the CryptoSink threat will inject a modified variant of the infamous XMRig cryptocurrency miner. Depending on whether the threat is deployed on a Windows or a Linux system, it will gain persistence on the host differently. To gain persistence on a Windows computer, the CryptoSink threat would use several basic tricks. However, when the CryptoSink threat compromises a Linux system, it will have to utilize much more complex techniques to gain persistence. As soon as the CryptoSink malware manages to infect a Linux system, it will fetch several corrupted payloads that will help the attackers get backdoor access to the machine. The CryptoSink threat also is reported to modify the ‘rm’ command, which means that every time this command, in particular, is used, the CryptoSink malware will be executed. This way, even if the user removes the files linked to the CryptoSink malware activity, as soon as they use the ‘rm’ command, the threat will be redeployed.
The miner is designed to mine for the Monero cryptocurrency. The CryptoSink threat is also capable of detecting whether there is another cryptocurrency miner present on the infected computer. If there are any competing miners detected, the CryptoSink threat will attempt to halt their activities. However, the CryptoSink malware does not simply remove other miners that may have compromised the system; it makes sure that if the system tries to connect to a pre-configured list of mining pools, the traffic will be redirected to ‘127.1.1.1’ immediately. This prevents the competing miners from connecting to their pre-determined mining pool.
The CryptoSink operation is very advanced, and removing the miner from a compromised host can prove to be rather challenging. Make sure to have a genuine anti-malware solution installed that will aid you in the removal of the CryptoSink threat.