‘Kinsing’ Hacker Group Exploits More Defects to Expand Botnet for Crypto Jacking!

‘Kinsing’ Hacker Group Exploits More Defects to Expand Botnet for Crypto Jacking!

The crypto jacking group known as Kinsing has demonstrated an ability to continually evolve & adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal & expand its botnet.

The findings come from cloud security firm Aqua, which described the threat player as actively orchestrating illicit crypto-currency mining campaigns since 2019.

Crypto-Mining Botnet

Kinsing (aka H2Miner), a name given to both the malware & the adversary behind it, has consistently expanded its toolkit with new exploits to enrol infected systems in a crypto-mining botnet. It was 1st documented by TrustedSec in Jan. 2020.

In recent years, campaigns involving the Golang-based malware have weaponised various flaws in Apache ActiveMQApache Log4jApache NiFiApache TomcatAtlassian ConfluenceCitrixLiferay PortalLinuxOpenfireOracle WebLogic Server, & SaltStack to breach vulnerable systems.

Misconfigured

Other methods have also involved exploiting misconfigured DockerPostgreSQL, & Redis instances to obtain initial access, after which the endpoints are put into a botnet for crypto-mining, but not before disabling security services & removing rival miners already installed on the hosts.

Analysis by CyberArk in 2021 unearthed commonalities between Kinsing & another malware called NSPPS, concluding that both the strains “represent the same family.”

Kinsing’s attack structure falls into 3 primary categories: Initial servers used for scanning & exploiting vulnerabilities, download servers responsible for staging payloads & scripts, & command-&-control (C2) servers that maintain contact with compromised servers.

Russia

The IP addresses used for C2 servers translate to Russia, while those that are used to download the scripts & binaries span countries like Luxembourg, Russia, the Netherlands, & Ukraine.

“Kinsing targets various operating systems with different tools,” Aqua observed. “For instance, Kinsing often uses shell & Bash scripts to exploit Linux servers.”

“We’ve also seen that Kinsing is targeting Openfire on Windows servers using a PowerShell script. When running on Unix, it is usually looking to download a binary that runs on x86 or ARM.”

Open Source

Another notable aspect of the threat player’s campaigns is that 91% of the targeted applications are open source, with the group mainly singling out runtime applications (67%), databases (9%), & cloud infrastructure (8%).

3 Distinct Categories

An extensive analysis of the artifacts has further revealed 3 distinct categories of programs –

  • Type I & Type II scripts, which are deployed post initial access & are used to download next-stage attack components, eliminate competition, evade defences by disabling firewall, terminate security tools like SELinux, AppArmor, & Aliyun Aegis, & deploy a rootkit to hide the malicious processes
  • Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud & Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker’s control, & facilitate the retrieval of minor payloads.
  • Binaries, which function as a 2nd-stage payload, including the core Kinsing malware & the crypto-miner to miner Monero.

Mining Process

The malware, for its part, is engineered to keep tabs on the mining process & share its process identifier (PID) with the C2 server, perform connectivity checks, & send execution results, amongst others.

“Kinsing targets Linux & Windows systems, often by exploiting vulnerabilities in web applications or misconfigurations such as Docker API & Kubernetes to run crypto miners,” Aqua commented. “To prevent potential threats like Kinsing, initiative-taking measures such as hardening workloads pre-deployment are crucial.”

The disclosure comes as botnet malware families are increasingly finding ways to broaden their reach & recruit machines into a network for conducting malicious activities.

Redis Servers

This is best exemplified by P2PInfect, a Rust malware that has been found to exploit poorly-secured Redis servers to deliver variants compiled for MIPS & ARM architectures.

“The main payload is capable of performing various operations, including propagating, & delivering other modules with filenames that speak for themselves like ‘miner’ & ;winminer’,” Nozomi Networks, which discovered samples targeting ARM earlier this year, explained.

“As its name suggests, the malware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command & Control server (C&C) to propagate attackers’ commands.”

 

SHARE ARTICLE