| Name | Kinsing |
| Type of Malware | Cryptominer |
| Date of Initial Activity | 2020 |
| Motivation | Cryptomining, Data theft, Denial-of-service attacks, Remote access |
| Attack Vectors | Targets misconfigured Docker Daemon API ports, Attacks vulnerable images and weakly configured PostgreSQL containers in Kubernetes, log4j exploit, Shell Scripts, Linux Based Malicious Backdoors, Rootkits, |
| Targeted System | Linux, Windows |
Overview
Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services.
Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.
Targets
Kinsing is often used in attacks against Docker, Redis, and SaltStack. It can also be used to target Kubernetes clusters.
Tools/ Techniques Used
Kinsing has been involved in multiple attack campaigns, including Redis and SaltStack. Kinsing Malware Exploiting Liferay Vulnerability CVE-2020-7961.
References
- Kinsing: The Malware with Two Faces
- Log4j Kinsing Linux Stealth Malware in the Wild
- Threat Alert: Kinsing Malware Attacks Targeting Container Environments
- Kinsing
- Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign
- Analysis of Kinsing Malware’s Use of Rootkit
- Connecting Kinsing malware to Citrix and SaltStack campaigns
- Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
- Kinsing: The Malware with Two Faces
- Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
