The threat intelligence arm of F5 Networks have uncovered a new malware campaign dubbed “CryptoSink” used to deploy an XRM (Monero) mining operation targeting Elasticsearch systems.
Key features include:
- The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on Windows and Linux
- On Linux, it delivers several previously unknown malware which wasn’t detected by antivirus solutions
- It uses previously unseen methods to kill competing crypto-miners on the infected machine and to persist on the server (by replacing the Linux remove command)
- Its backdoors the server by adding the attacker’s SSH keys.
- It uses several command and control (C&C) servers; the current live C&C is located in China.
How CryptoSink Works
There are multiple methods that attackers can use to get a cryptocurrency miner on a system. In the CryptoSink campaign, F5 Labs found that the attackers were deploying software to mine the Monero (XMR) cryptocurrency. The XMR miner is deployed on either Linux or Windows servers and is able to consume system resources, making an infected server appear to run slower for regular operations.
As part of CryptoSink, the attackers use a dropper to “drop” or install a file that leads to the XMR miner installation. According to F5 Labs, at the time the research group discovered the attack, most antivirus (AV) technologies did not actually detect the dropper file as being malware. Zavodchik commented that he wasn’t surprised that the CryptoSink dropper wasn’t detected, as the antivirus solutions for Linux servers still don’t seem to be as focused on endpoints as the solutions are for Windows servers.
“Many times we see Linux malware going undetected or strongly misclassified,” Zavodchik said. “We might also speculate that as the malware was trying to keep it simple, without sophisticated packing or process injections, it was ironically going under the radar of the AVs.”
If the CryptoSink campaign detected that a given server was already running a cryptocurrency mining software application, the attackers ended up redirecting that traffic to a sinkhole, effectively shutting down the competitive mining activity.
the crypto-miner sinkholing technique deployed by the current attackers could be also reviewed by defenders as a countermeasure. However, to avoid the initial infection, defenders should deploy a more effective patching process, whether it is done in the code or virtually by a web application firewall.
For more cybersecurity information contact us at firstname.lastname@example.org