Researchers Uncover New Crypto-Mining Campaign with Sinkholing Capabilities
A recent discovery by researchers has revealed a new crypto-mining campaign targeting Elasticsearch instances, utilizing sinkholing capabilities to eliminate competition from other miners.
The malware, known as “CryptoSink,” takes advantage of a vulnerability in Elasticsearch dating back to 2014 (CVE-2014-3120), allowing it to mine cryptocurrency on both Windows and Linux systems. According to findings by F5’s Andrey Shalnev and Maxim Zavodchik, the campaign is currently operating with one of its three hard-coded command and control (C&C) domains active, hosted on a server in China.
One of the most intriguing aspects of this campaign is its method of neutralizing rival miners on the same host. Instead of simply scanning for known malware processes or high CPU consumption, CryptoSink takes a more sophisticated approach.
“The malware dropper introduces a more sophisticated tactic to paralyze competitors who survive the initial purge. We’ve called it ‘CryptoSink’ because it sinkholes the outgoing traffic that is normally directed at popular cryptocurrency pools and redirects it to localhost (127.0.0.1) instead,” explained F5.
By modifying the ‘/etc/hosts’ file with the domains of targeted cryptocurrency pools, CryptoSink prevents competing miners from connecting to these pools, effectively halting their mining operations and freeing up system resources on the infected machine.
Furthermore, the malware demonstrates persistence by tampering with the rm binary in Linux systems. It renames the original rm binary to “rmm” and replaces it with a malicious file named “rm” downloaded from its C&C server.
“Now, each time the user executes the rm command, the forged rm file will randomly decide if it should additionally execute a malicious code, and only then will it call the real rm command (that is, execute the file now that’s now named rmm). The malicious code in the rm binary will check if the cronjob exists and if not, it will be added again,” F5 elaborated.
This clever tactic poses a challenge for administrators attempting to remove the malware, as using the rm command to delete malicious files would inadvertently reinstall the malware due to the tampered binary.
The discovery of the CryptoSink campaign highlights the evolving tactics and capabilities of crypto-mining malware, emphasizing the importance of robust cybersecurity measures to protect against such threats.