Kinsing Crypto-Mining Malware

Kinsing: Cryptomining Malware Targeting Linux and Cloud Infrastructure

Kinsing is a Linux-based malware focused on hijacking server and container resources to mine cryptocurrency, typically Monero. It spreads by exploiting vulnerable applications, misconfigured Docker instances, and open cloud ports, leaving behind persistent backdoors and crypto-miners. Its use of shell scripts, automated reconnaissance, and rapid lateral movement makes it a serious threat to cloud-native environments and DevOps pipelines.

Introduction to Kinsing

First observed in the wild around 2020, Kinsing malware has evolved into one of the most common threats facing exposed Linux systems. It aggressively scans for services like Redis, PostgreSQL, Jenkins, and Kubernetes that are improperly secured. Once it finds a way in, Kinsing installs a lightweight crypto-miner and tools to ensure it maintains persistence, avoids detection, and continues exploiting as many systems as possible.

---

1. How Kinsing Works

Infection Mechanism:
Kinsing typically infiltrates systems by exploiting unpatched vulnerabilities (e.g., SaltStack CVE-2020-11651/11652), misconfigured Docker APIs, or open ports. It uses automated scripts to scan for targets, gain initial access, and download additional payloads.

Payload Execution:
Once inside, Kinsing:

• Deploys a Monero (XMR) miner to monetize CPU resources
• Installs its core malware (kinsing binary)
• Disables security tools and removes competing malware
• Creates cron jobs, SSH keys, or systemd services for persistence
• Exploits the host to scan and infect more machines across the network

---

2. History and Notable Campaigns

Origin and Discovery:
Kinsing was first reported by researchers in early 2020, with major upticks observed during the shift to remote work and cloud infrastructure. Cybersecurity firms like Trend Micro and Aqua Security were among the first to track it closely.

Notable Campaigns:

• Attacks on Docker containers exposed to the internet, often through unsecured Docker Remote API ports
• Campaigns against misconfigured Redis and PostgreSQL databases
• Exploitation of SaltStack vulnerabilities, targeting orchestration servers to spread rapidly

---

3. Targets and Impact

Targeted Victims and Sectors:

• Cloud environments using Docker, Kubernetes, Redis, or Jenkins
• CI/CD pipelines and DevOps infrastructure
• Any Linux-based server with exposed services or lax configuration

Consequences:

• Massive CPU drain due to crypto-mining
• Degraded system performance and potential service outages
• Financial costs from increased cloud usage and potential reputation damage
• Security risk escalation, as attackers may install additional payloads or pivot deeper into the network

---

4. Technical Details

Payload Capabilities:

• Mines Monero using lightweight CPU miners
• Installs the kinsing ELF binary
• Drops persistence mechanisms (cron jobs, SSH keys, init scripts)
• Deletes logs and disables competing malware
• Uses infected machines to scan for other vulnerable hosts

Evasion Techniques:

• Kills security agents and monitoring processes
• Cleans up logs to hide infection traces
• Uses generic names and locations to blend with system processes
• Automatically removes rival miners to maximize CPU use

---

5. Preventing Kinsing Infections

Best Practices:

• Secure Docker, Redis, and PostgreSQL with strong authentication and firewalls
• Disable remote management interfaces when not in use
• Keep systems and containers fully patched
• Use runtime container security tools and logging
• Monitor for unauthorized processes and unexpected outbound traffic

Recommended Security Tools:

• Falco for container runtime monitoring
• CrowdStrike, Aqua Security, or Sysdig Secure
• fail2ban, iptables, or cloud-native WAFs
• OpenSCAP or Lynis for Linux hardening audits

---

6. Detecting and Removing Kinsing

Indicators of Compromise (IoCs):

• Unusual processes with high CPU usage
• Binary named kinsing, often found in /tmp/ or /var/tmp/
• Suspicious cron entries, SSH keys, or outbound mining traffic
• Connections to known Monero mining pools

Removal Steps:

1. Kill any mining processes and delete kinsing binaries
2. Remove persistence mechanisms (cron jobs, SSH keys, systemd entries)
3. Patch exploited vulnerabilities and audit configurations
4. Rebuild compromised containers if needed
5. Block outgoing connections to mining pools and botnet infrastructure

Professional Help:
Enterprises facing Kinsing infections across multiple systems or cloud regions should engage a cloud security response team. The malware often indicates broader misconfigurations or systemic weaknesses.

---

7. Response to a Kinsing Infection

Immediate Steps:

• Isolate infected systems from the network
• Disable exposed services and close vulnerable ports
• Revoke any SSH keys added by the malware
• Re-image or rebuild containers using secure images
• Review access logs for signs of lateral movement

---

8. Legal and Ethical Implications

Legal Considerations:
If an infected system is used to attack others or consume shared resources, cloud providers may suspend accounts, and organizations could face liability for damages or breach disclosures.

Ethical Considerations:
Kinsing exploits the neglect of basic security hygiene. It highlights the importance of responsible cloud configuration, secure DevOps practices, and the risks of open infrastructure.

---

9. Resources and References

• Aqua Security: Aqua Nautilus Reveals Millions of Potential Kinsing Attacks Daily
• Trend Micro: Linux Threat Intelligence and Analysis of Kinsing Malware's Use of Rootkit
• CISA Alerts on Docker and Redis Exploits
• GitHub Repos tracking mining IoCs
• MITRE ATT&CK Techniques: T1496 (Resource Hijacking), T1543 (Persistence)

---

10. FAQs about Kinsing

Q: What is Kinsing malware?
A Linux-based malware that infects cloud systems and containers to install crypto-miners and backdoors.

Q: How does it spread?
Through misconfigured services, open Docker APIs, and known vulnerabilities in common server software.

Q: What does it do?
It installs crypto-miners, creates backdoors, and spreads laterally to other systems.

Q: Can it be removed?
Yes, with manual cleanup or by rebuilding compromised containers and fixing exposed services.

---

11. Conclusion

Kinsing is a loud but effective threat—a reminder that even basic misconfigurations in cloud and Linux environments can have serious consequences. It doesn’t rely on stealth but rather on the widespread exposure of underprotected services. Organizations running modern infrastructure must ensure security is baked into every layer—from containers to CI/CD pipelines—to stop malware like Kinsing before it turns compute power into attacker profit.

 

 

« Back to the Virus Information Library

« Back to the Security Center