Threat Research

Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers

Securonix

Researchers describe Kinsing’s ongoing campaign against cloud Linux hosts, including an active intrusion of Apache Tomcat servers that deploy backdoors and cryptominers. The malware hides itself in innocuous filesystem locations, notably manual pages, and uses XMRig to mine Monero, remaining undetected for about a year. #Kinsing #XMRig #ApacheTomcat #gssproxy #Monero

Keypoints

  • Kinsing targets Linux-based cloud infrastructure and exploits vulnerabilities to deploy backdoors and cryptominers.
  • Attack surface expansion includes targeting Apache Tomcat servers with critical vulnerabilities.
  • The malware hides itself in four filesystem locations to achieve persistence, including three manual-page directories.
  • Persistence locations include /var/cache/man/cs/cat1/, /var/cache/man/cs/cat3/, /var/lib/gssproxy/rcache/, and /var/cache/man/zh_TW/cat8/.
  • The cryptominer embedded in the malware is XMRig, used to mine Monero, observed at version 6.12.2 (with newer versions available).
  • Tenable Cloud Security has introduced a malware-detection feature to identify malware across cloud workloads.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The Kinsing campaign targets an Apache Tomcat server with critical vulnerabilities to gain access. “including an Apache Tomcat server with critical vulnerabilities.”
  • [T1564] Hide Artifacts – The malware hides itself in four locations on the filesystem, notably manual pages. “three of these locations are manual files, or ‘man’ pages, where malware is rarely found.”
  • [T1036] Masquerading – The malware hides itself as a system file. “hides itself as a system file.”
  • [T1496] Cryptomining – The malware has a cryptominer embedded in it called XMRig. XMRig is an open-source CPU mining software used for the mining of Monero.

Indicators of Compromise

  • [SHA-256] Malware payload hash – 063f80c2c5accaecd8c9e6b6815ae80e372477f9df1113dafc72a2a0703aaa68
  • [File Path] Infected persistence locations – /var/cache/man/cs/cat1/, /var/cache/man/cs/cat3/, /var/lib/gssproxy/rcache/, /var/cache/man/zh_TW/cat8/
  • [Software] XMRig version observed – 6.12.2 (current GitHub version is 6.21.2)

Read more: https://www.tenable.com/blog/kinsing-malware-hides-itself-as-a-manual-page-and-targets-cloud-servers

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint