The proprietary cryptojacking botnet is constantly expanding, causing problems for hundreds of organizations.
The Kinsing cryptojacking group continues to evolve, posing a constant threat in the digital space. AquaSec reports that Kinsing has been continuously organizing illegal cryptocurrency mining campaigns since 2019, quickly integrating new vulnerabilities to expand its botnet.
Kinsing, also known as H2Miner, is a name for both the malware and the group behind it. Since first being documented in January 2020, Kinsing has continuously expanded its tools with new exploits to include infected systems in the cryptomining botnet.
Golang-based malware campaigns exploited vulnerabilities in systems such as Apache Log4j, Atlassian Confluence, Citrix, Linux, and Oracle WebLogic Server. Docker, PostgreSQL, and Redis configuration errors were also used for initial access.
In 2021, an analysis by CyberArk revealed similarities between Kinsing and another NSPPS malware, concluding that both represent the same family.
The Kinsing attack infrastructure is divided into three categories: initial servers for scanning and exploiting vulnerabilities, servers for downloading useful data, and C2 servers that support communication with infected hosts.
"Kinsing is targeting a variety of operating systems," Aqua reports. "For example, Kinsing often uses shell and Bash scripts to operate Linux servers, and attacks Openfire on Windows servers via PowerShell."
The group also actively targets Open Source applications, which account for 91% of all attacked programs. The main goals are runtime applications (67%), databases (9%), and cloud infrastructure (8%).
Analysis of the detected malware instances revealed three categories of programs used by the group in its campaigns:
The malware monitors the mining process, shares the process ID (PID) with the C2 server, performs connection checks, and sends execution results.
"Kinsing targets Linux and Windows systems, often exploiting vulnerabilities in web applications or misconfigurations, such as the Docker API and Kubernetes," Aqua notes. "Proactive measures, such as strengthening workloads before deployment, are important to prevent threats like Kinsing."
Data from the AquaSec report shows that botnets are constantly finding new ways to expand and engage machines on the world wide web to conduct malicious activities.
To protect against threats such as Kinsing, proactive security measures must be applied, including timely elimination of vulnerabilities, proper configuration of systems and solutions to prevent malware from using unclosed attack vectors.
The Kinsing cryptojacking group continues to evolve, posing a constant threat in the digital space. AquaSec reports that Kinsing has been continuously organizing illegal cryptocurrency mining campaigns since 2019, quickly integrating new vulnerabilities to expand its botnet.
Kinsing, also known as H2Miner, is a name for both the malware and the group behind it. Since first being documented in January 2020, Kinsing has continuously expanded its tools with new exploits to include infected systems in the cryptomining botnet.
Golang-based malware campaigns exploited vulnerabilities in systems such as Apache Log4j, Atlassian Confluence, Citrix, Linux, and Oracle WebLogic Server. Docker, PostgreSQL, and Redis configuration errors were also used for initial access.
In 2021, an analysis by CyberArk revealed similarities between Kinsing and another NSPPS malware, concluding that both represent the same family.
The Kinsing attack infrastructure is divided into three categories: initial servers for scanning and exploiting vulnerabilities, servers for downloading useful data, and C2 servers that support communication with infected hosts.
"Kinsing is targeting a variety of operating systems," Aqua reports. "For example, Kinsing often uses shell and Bash scripts to operate Linux servers, and attacks Openfire on Windows servers via PowerShell."
The group also actively targets Open Source applications, which account for 91% of all attacked programs. The main goals are runtime applications (67%), databases (9%), and cloud infrastructure (8%).
Analysis of the detected malware instances revealed three categories of programs used by the group in its campaigns:
- Type I and II scripts that load the following attack components, eliminate competitors, bypass security, and disable firewalls and security tools.
- Auxiliary scripts designed for initial access, disabling specific security components of Alibaba Cloud and Tencent Cloud, opening a reverse shell, and loading miner payloads.
- Binary files that are secondary payloads, including the Kinsing core and the crypto miner for Monero.
The malware monitors the mining process, shares the process ID (PID) with the C2 server, performs connection checks, and sends execution results.
"Kinsing targets Linux and Windows systems, often exploiting vulnerabilities in web applications or misconfigurations, such as the Docker API and Kubernetes," Aqua notes. "Proactive measures, such as strengthening workloads before deployment, are important to prevent threats like Kinsing."
Data from the AquaSec report shows that botnets are constantly finding new ways to expand and engage machines on the world wide web to conduct malicious activities.
To protect against threats such as Kinsing, proactive security measures must be applied, including timely elimination of vulnerabilities, proper configuration of systems and solutions to prevent malware from using unclosed attack vectors.
