The cybercriminal group known as Kinsing has demonstrated a remarkable ability to adapt and evolve consistently, establishing themselves as a ongoing threat by quickly integrating newly disclosed vulnerabilities and expanding their botnet.
The findings were reported by cloud security firm Aqua, which identified Kinsing as actively conducting illegal cryptocurrency mining campaigns since 2019.
Kinsing (also known as H2Miner), named after both the malware and the group responsible for it, has continuously enhanced their toolkit with new exploits to recruit infected systems into a cryptocurrency mining botnet. Its existence was initially documented by TrustedSec in January 2020.
In recent times, campaigns involving the Golang-based malware have leveraged vulnerabilities in various platforms such as Apache ActiveMQ, Apache Log4j, Apache NiFi, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, and SaltStack to infiltrate vulnerable systems.
Other tactics have included exploiting misconfigured Docker, PostgreSQL, and Redis instances for initial access, followed by organizing the compromised systems into a botnet for cryptocurrency mining, after removing rival miners and disabling security services already present on those systems.
A subsequent analysis by CyberArk in 2021 discovered common traits between Kinsing and another malware, NSPPS, indicating that both strains belong to the same group.
The attack infrastructure of Kinsing primarily consists of three categories: Initial servers for scanning and exploiting vulnerabilities, download servers for storing payloads and scripts, and command-and-control (C2) servers for communication with compromised servers.
The IP addresses associated with C2 servers are based in Russia, while those used for downloading scripts and binaries originate from countries like Luxembourg, Russia, the Netherlands, and Ukraine.
“Kinsing targets a variety of operating systems using different tools,” Aqua explained. “For example, Kinsing frequently utilizes shell and Bash scripts to exploit Linux servers.”
“We have also observed Kinsing targeting Openfire on Windows servers using a PowerShell script. On Unix systems, it typically downloads a binary that runs on x86 or ARM architecture.”
Another significant aspect of Kinsing’s campaigns is that 91% of the targeted applications are open-source, primarily focusing on runtime applications (67%), databases (9%), and cloud infrastructure (8%).
| Credit: Forescout |
An in-depth analysis of the artifacts has identified three main categories of programs:
- Type I and Type II scripts, which are deployed post initial access to download next-stage attack components, eliminate competitors, evade defenses, and deploy a rootkit to conceal malicious processes
- Auxiliary scripts, intended for initial access by exploiting vulnerabilities, disabling security components, establishing a reverse shell, and enabling the retrieval of miner payloads
- Binaries, serving as a second-stage payload containing the core Kinsing malware and the crypto-miner for mining Monero
The malware is designed to monitor the mining process, share process identifiers with the C2 server, conduct connectivity checks, and report execution results, among other functionalities.
“Kinsing targets Linux and Windows systems by exploiting web application vulnerabilities or misconfigurations such as Docker API and Kubernetes to run cryptocurrency miners,” noted Aqua. “To mitigate potential threats like Kinsing, proactive steps like hardening workloads pre-deployment are crucial.”
This revelation coincides with increasing efforts by botnet malware families to broaden their influence and enlist machines into networks for carrying out malicious operations.
An example is P2PInfect, a Rust malware discovered utilizing poorly-secured Redis servers to distribute variants compiled for MIPS and ARM architectures.
“The primary payload can perform multiple functions, including propagation and delivering other modules with names such as miner and winminer,” as reported by Nozomi Networks, who uncovered samples targeting ARM architecture earlier this year.
“As the name suggests, the malware can engage in Peer-to-Peer (P2P) communications without relying on a single Command and Control server (C&C) to execute attackers’ commands.”
