The Kinsing cryptodjing group remains a persistent threat in digital spaces, as reported by Aquaisec. The group has been actively organizing illegal campaigns throughout 2019 to mine cryptocurrencies, continuously incorporating new vulnerabilities to expand their botnet.
Kinsing, also known as H2Miner, refers to both the malicious software and the group behind it. Since the initial documentation in January 2020, Kinsing has been enhancing its arsenal with new exploits to enlist infected systems into a cryptomining botnet.
These campaigns leverage malware based on vulnerabilities in systems such as Apache Log4j, Atlassian Confluence, Citrix, Linux, and Oracle Weblogic Server. Furthermore, Docker, PostgreSQL, and Redis misconfigurations have been exploited to gain initial access.
In 2021, a Cyberark analysis found similarities between Kinsing and other malicious NSPS, indicating that they belong to the same family.
The infrastructure of Kinsing is segmented into three categories: initial servers for vulnerability scanning and exploitation, servers for data loading, and C2 servers that facilitate communication with infected hosts.
“Kinsing targets a variety of operating systems,” states Aqua. “For instance, the group frequently employs Shell and Bash scripts to target Linux servers and PowerShell attacks on Windows servers via Openfire.”
Kinsing is particularly focused on Open Source applications, which constitute 91% of the targeted programs. The primary targets include Runtime applications (67%), databases (9%), and cloud infrastructure (8%).
An analysis of the identified malicious instances shows three main categories of programs used by Kinsing in their campaigns:
- Type I and II scripts that load attack components to eliminate competitors, bypass defenses, disable firewalls, and security measures.
- Auxiliary scripts designed for initial access, targeting specific security components in Alibaba Cloud and Tencent Cloud, creating backdoors, and loading the miner’s payload.
- Binary files containing secondary data, including Kinsing’s core and a cryptocurrency miner for Monero.
The malicious software controls the mining process, communicates with the C2 server using the process identifier (PID), conducts connection checks, and shares execution results.
“Kinsing focuses on exploiting vulnerabilities in web applications or misconfigurations such as Docker API and Kubernetes on Linux and Windows platforms,” notes Aqua. “Proactive measures, like securing workloads before deployment, are crucial to prevent threats like Kinsing.”
Data from the AquaSec report indicates that the botnets continuously discover new methods to expand and enlist