Elasticsearch Crypto-Miner Sinkholes the Competition

Written by

Researchers have discovered a new crypto-mining campaign targeting Elasticsearch instances which contains sinkholing capabilities to squash any competing miners.

The aptly named “CryptoSink” malware campaign exploits an Elasticsearch vulnerability from 2014 (CVE-2014-3120) to mine cryptocurrency in Windows and Linux environments, according to F5’s Andrey Shalnev and Maxim Zavodchik.

At the time of the research, just one of the three hard-coded C&C domains was operational, resolving to a server located in China.

However, most interesting was the way it finds and kills any competing crypto-mining malware on the same host.

Typically, attackers do this by scanning running processes to find known malware names, or else looking to see which processes are consuming the most CPU.

“In this case, the malware dropper introduces a more sophisticated tactic to paralyze competitors who survive the initial purge. We’ve called it ‘CryptoSink’ because it sinkholes the outgoing traffic that is normally directed at popular cryptocurrency pools and redirects it to localhost ( instead,” F5 explained.

“It achieves this by writing the target pools’ domains to the ‘/etc/hosts’ file. In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process, which frees up system resources on the infected machine.”

The malware has another trick up its sleeve, this time to achieve persistence. It renames the original rm binary relating to the Linux “remove” command, to “rmm” and replaces it with a malicious file named “rm”, downloaded from its C&C server.

“Now, each time the user executes the rm command, the forged rm file will randomly decide if it should additionally execute a malicious code, and only then will it call the real rm command (that is, execute the file now that’s now named rmm). The malicious code in the rm binary will check if the cronjob exists and if not, it will be added again,” F5 explained.

“The irony is that even if the infected server’s administrator were to detect the other malicious files and try to remove them, she would probably use the rm command which, in turn, would reinstall the malware.”

What’s hot on Infosecurity Magazine?