Explore the Kinsing Hacker Group's evolving cryptojacking tactics, targeting Linux and Windows servers, exploiting vulnerabilities, and deploying complex malware.

Continue reading
The cryptojacking group known as Kinsing, also referred to as H2Miner, has exhibited a remarkable ability to evolve and adapt over time. This Threatfeed dives deep into the technical aspects and methodologies employed by Kinsing, with a particular focus on its exploitation of newly disclosed vulnerabilities to expand its botnet for cryptojacking purposes. The findings discussed herein are derived from extensive research conducted by Aqua Security, CyberArk, and TrustedSec, among others.
Kinsing has been actively orchestrating illicit cryptocurrency mining campaigns since 2019. Initially documented by TrustedSec in January 2020, the group has continuously enhanced its toolkit, integrating newly discovered vulnerabilities to maintain its foothold in compromised systems.
In its early days, Kinsing targeted a variety of systems using the Golang-based malware. Its campaigns have weaponized flaws in numerous platforms including:
These vulnerabilities were exploited to breach systems and enlist them in a crypto-mining botnet.
Kinsing’s attack infrastructure can be categorized into three primary components:
The C2 servers primarily resolve to Russia, while download servers span countries like Luxembourg, Russia, the Netherlands, and Ukraine.
Kinsing leverages misconfigured Docker, PostgreSQL, and Redis instances to gain initial access. Upon gaining access, the malware disables security services and removes rival miners already installed on the hosts.
Kinsing uses shell and Bash scripts to exploit Linux servers. For Windows servers, the malware utilizes PowerShell scripts. Once inside, it downloads binaries compatible with x86 or ARM architectures, depending on the system.
Kinsing has weaponized a wide array of vulnerabilities across different systems. Notable examples include:
In January 2020, TrustedSec observed a compromise exploiting the Citrix NetScaler vulnerability. The attacker accessed the `smb.conf` file using a directory traversal attack, then executed a script (`ci.sh`) to maintain persistence and deploy the Monero coin miner, XMRig.
Kinsing deploys various scripts post-initial access to download next-stage components, eliminate competition, and evade defenses. These scripts can be categorized as:
An auxiliary script might look like the following:
Kinsing’s campaigns also utilize rootkits to hide malicious processes, making detection and removal more challenging. The malware continuously monitors the mining process and communicates with the C2 server, performing connectivity checks and sending execution results.
A notable advancement is the use of Peer-to-Peer (P2P) communications, as seen in the P2PInfect malware. This technique allows the malware to propagate and deliver other modules without relying on a single C2 server.
Kinsing's operations target various operating systems, often by exploiting web application vulnerabilities or misconfigurations such as Docker API and Kubernetes. The widespread nature of these attacks highlights the importance of proactive security measures.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation