“CryptoSink” Campaign Deploys a New Miner Malware
- by nlqip
Recently, threat researchers from F5 Networks spotted a new campaign targeting Elasticsearch systems. It leverages an exploit from 2014 to spread several new malwares designed to deploy an XMR (Monero) mining operation.
- The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on both Windows and Linux platforms to mine XMR cryptocurrency.
- On Linux, it delivers several previously unknown malwares (downloader and trojan) which weren’t detected by antivirus (AV) solutions.
- It uses a unique method to kill competing crypto-miners on the infected machine by sinkholing (redirecting) their pool traffic to 127.1.1.1, thus shutting down the mining.
- To survive a removal, it wraps the Linux rm command with a code to randomly reinstall the malware, making it more complex to understand how the system is continually reinfected.
- It backdoors the server by adding the attacker’s SSH keys.
- It uses several command and control (C&C) servers; the current live C&C is located in China.
While analyzing the campaign we’ve named CryptoSink, we encountered a previously unseen method used by attackers to eliminate competitors on the infected machine and to persist on the server in a stealthier way by replacing the Linux remove (rm) command.
Initial Infection Vector
The attack starts with several malicious HTTP requests that target Elasticsearch running on both Windows and Linux machines.
Windows Payload
The Windows payload directly downloads a malicious executable file from the attacker’s server using a technique that became popular among similar threat actors. This technique involves calling the certutil utility, which ships with Windows, and is used to manipulate SSL certificates.
Source link
lol
Recently, threat researchers from F5 Networks spotted a new campaign targeting Elasticsearch systems. It leverages an exploit from 2014 to spread several new malwares designed to deploy an XMR (Monero) mining operation. The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on both Windows and Linux platforms to mine XMR cryptocurrency. On Linux,…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’