Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments.


Researchers at Aqua Security, who have been tracking the attacks, say that thousands of infection attempts were observed daily. As part of the attack, hackers abuse misconfigured Docker API ports to run an Ubuntu container hosting Kinsing.


The Kinsing malware in the container executes a cryptocurrency miner and then attempts to further spread, targeting both containers and hosts.


All of the observed attacks have the same entry point, with the only difference between them being the IP address an initial shell script is downloaded from. To date, the security researchers identified three different IP addresses.


The shell script was designed to disable security measures and clear logs, as well as to remove rival malware and crypto-miners by killing their applications, deleting associated files, and terminating any running rival malicious Docker containers and deleting their images.


Additionally, the script downloads the Kinsing malware and runs it, achieves persistence via the crontab, and looks for additional commands running in cron to delete them (including its own).


Linux-based, Kinsing is written in Golang. Upon execution, it attempts to communicate with its command and control (C&C) servers in Eastern Europe.


Aqua Security discovered what appear to be dedicated servers for each function of the malware, such as C&C communication, downloading a spread script, and downloading a crypto-miner.


The shell script used to spread across the container network passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the ..

Support the originator by clicking the read the rest link below.