Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

The cryptojacking group known as Kinsing has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining

The cryptojacking group known as Kinsing has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet.

The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019.

Kinsing (aka H2Miner), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was first documented by TrustedSec in January 2020.

In recent years, campaigns involving the Golang-based malware have weaponized various flaws in Apache ActiveMQ, Apache Log4j, Apache NiFi, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, and SaltStack to breach vulnerable systems.

Other methods have also involved exploiting misconfigured Docker, PostgreSQL, and Redis instances to obtain initial access, after which the endpoints are marshaled into a botnet for crypto-mining, but not before disabling security services and removing rival miners already installed on the hosts.

Subsequent analysis by CyberArk in 2021 unearthed commonalities between Kinsing and another malware called NSPPS, concluding that both the strains “represent the same family.”

Kinsing’s attack infrastructure falls into three primary categories: Initial servers used for scanning and exploiting vulnerabilities, download servers responsible for staging payloads and scripts, and command-and-control (C2) servers that maintain contact with compromised servers.

The IP addresses used for C2 servers resolve to Russia, while those that are used to download the scripts and binaries span countries like Luxembourg, Russia, the Netherlands, and Ukraine.

“Kinsing targets various operating systems with different tools,” Aqua said. “For instance, Kinsing often uses shell and Bash scripts to exploit Linux servers.”

“We’ve also seen that Kinsing is targeting Openfire on Windows servers using a PowerShell script. When running on Unix, it’s usually looking to download a binary that runs on x86 or ARM.”

Another notable aspect of the threat actor’s campaigns is that 91% of the targeted applications are open-source, with the group mainly singling out runtime applications (67%), databases (9%), and cloud infrastructure (8).

Credit: Forescout

An extensive analysis of the artifacts has further revealed three distinct categories of programs –

Type I and Type II scripts, which are deployed post initial access and are used to download next-stage attack components, eliminate competition, evade defenses by disabling firewall, terminate security tools like SELinux, AppArmor, and Aliyun Aegis, and deploy a rootkit to hide the malicious processes
Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud and Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker’s control, and facilitate the retrieval of miner payloads
Binaries, which act as a second-stage payload, including the core Kinsing malware and the crypto-miner to miner Monero

The malware, for its part, is engineered to keep tabs on the mining process and share its process identifier (PID) with the C2 server, perform connectivity checks, and send execution results, among others.

“Kinsing targets Linux and Windows systems, often by exploiting vulnerabilities in web applications or misconfigurations such as Docker API and Kubernetes to run cryptominers,” Aqua said. “To prevent potential threats like Kinsing, proactive measures such as hardening workloads pre-deployment are crucial.”

The disclosure comes as botnet malware families are increasingly finding ways to broaden their reach and recruit machines into a network for carrying out malicious activities.

This is best exemplified by P2PInfect, a Rust malware that has been found to exploit poorly-secured Redis servers to deliver variants compiled for MIPS and ARM architectures.

“The main payload is capable of performing various operations, including propagating and delivering other modules with filenames that speak for themselves like miner and winminer,” Nozomi Networks, which discovered samples targeting ARM earlier this year, said.

“As its name suggests, the malware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command and Control server (C&C) to propagate attackers’ commands.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Healthcare & Pharma Virtual Cybersecurity Summit

Next Post

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Related Posts

Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the threat actor creating rogue virtual machines (VMs) within its VMware environment. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access,"
Read More

Cybersecurity Agencies Warn of China-linked APT40’s Rapid Exploit Adaptation

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. "APT 40 has previously targeted organizations in various countries, including
Read More