Name Kinsing Type of Malware Cryptominer Date of Initial Activity 2020 Motivation Cryptomining, Data theft, Denial-of-service attacks, Remote access Attack Vectors Targets misconfigured Docker Daemon API ports, Attacks vulnerable images and weakly configured PostgreSQL containers in Kubernetes, log4j exploit, Shell Scripts, Linux Based Malicious Backdoors, Rootkits, Targeted System Linux, Windows

Overview

Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services.

Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.

Targets

Kinsing is often used in attacks against Docker, Redis, and SaltStack. It can also be used to target Kubernetes clusters.

Tools/ Techniques Used

Kinsing has been involved in multiple attack campaigns, including Redis and SaltStack. Kinsing Malware Exploiting Liferay Vulnerability CVE-2020-7961.

References

1. Kinsing: The Malware with Two Faces

2. Log4j Kinsing Linux Stealth Malware in the Wild

3. Threat Alert: Kinsing Malware Attacks Targeting Container Environments

4. Kinsing

5. Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign

6. Analysis of Kinsing Malware’s Use of Rootkit

7. Connecting Kinsing malware to Citrix and SaltStack campaigns

8. Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining

9. Kinsing: The Malware with Two Faces

10. Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL

The post Kinsing (Cryptominer) – Malware first appeared on CyberMaterial.