CryptoSink
CryptoSink is the name of a harmful cryptocurrency mining operation that was first detected in 2019, which uses a well-known exploit to infect vulnerable computers. The exploit in question is tracked as 'CVE-2014-3120', and it concerns outdated versions of the Elasticsearch project that is available for both Linux and Windows computers. The attackers behind the CryptoSink campaign have paid attention to this opportunity certainly, and their cryptocurrency miner can be deployed on both Linux and Windows machines. The threat uses different techniques to gain persistence depending on the operating system it is running on, and malware researchers also have determined that the CryptoSink actively seeks to eliminate any competitive miners it may find on infected machines.
Regardless of the operating system the victim is running, CryptoSink will always aim to drop a modified version of the XMRig miner that has been pre-configured to mine for the Monero cryptocurrency, and use a mining pool preferred by the perpetrators. While the Windows variant of the malware uses basic techniques to gain persistence, the Linux variant of the CryptoSink is much more advanced due to several reasons.
CryptoSink can Plant Cryptocurrency Miners on Windows and Linux
If the CryptoSink manages to penetrate the defenses of a Linux system, it will attempt to download several additional pieces of malware that may provide the attackers with backdoor access to the compromised host. Another thing that the CryptoSink malware does on Linux devices is to modify the way the 'rm' command on Linux works so that it will redeploy the malware if it ends up being used. This means that even if all remnants of the CryptoSink infection are removed, the malware will be re-installed if the victim ends up using the 'rm' command. This makes the full removal of this infection a very challenging task.
Another operation that the CryptoSink carries out on both operating systems aims to disrupt the activity of other cryptocurrency miners. Usually, other miners are simply removed from the system, but the CryptoSink's authors use a more sophisticated approach – they reconfigure the victim's network to redirect traffic to '127.1.1.1' whenever the computer attempts to connect to a pre-defined list of popular mining pools. This way, competing miners will not hog CPU resources and, instead, they will continuously try to reconnect to their respective mining pool.
CryptoSink is by far one of the most advanced illicit cryptocurrency mining campaigns to be identified by malware researchers in the past year. It utilizes a wide range of techniques to gain persistence and eliminate its competitors, but its reach is rather limited due to the outdated vulnerabilities it uses to find new victims. Protecting your system from threats like this one requires the use of a sophisticated anti-malware software suite.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.