Kinsing

Malware updated 3 months ago (2024-08-14T09:38:17.955Z)

Download STIX

Preview STIX

Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal information, disrupting operations, or even holding data for ransom. In recent attacks, Kinsing threat actors have been probing the Looney Tunables flaws, as reported on securityaffairs.com. The Kinsing malware was further analyzed using the open-source tool Sysdig. During this analysis, it was discovered that Kinsing wrote to a file named /tmp/kdevtmpfsi. This action was detected during a deep dive into the system calls executed from Kinsing, providing valuable insight into its behavior and operational tactics. The use of Sysdig open source allowed for a closer examination of the malware's activities, particularly when it was running in a honeypot project. In conclusion, Kinsing presents a significant cybersecurity threat due to its ability to exploit system vulnerabilities and carry out harmful actions undetected. Its recent activity involving the Looney Tunables flaws underscores the need for robust security measures and constant vigilance. Tools like Sysdig open source offer invaluable resources for understanding and combatting threats such as Kinsing, enabling researchers to study its behaviors and devise effective countermeasures.

Description last updated: 2024-08-14T08:50:42.150Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Money Libra is a possible alias for Kinsing. Money Libra, also known as Kinsing, is a malicious software (malware) that has been active since late 2021. This malware primarily targets cloud-native environments and applications such as Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, and cloud-hosted Apache NiFi instances,	3
H2miner is a possible alias for Kinsing. H2miner, also known as Kinsing, is a malicious software (malware) that primarily targets Linux systems to exploit their computing resources for illicit cryptocurrency mining. This malware is typically introduced into systems through suspicious downloads, emails, or websites, often unbeknownst to the	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Linux

Vulnerability

Malware

Exploits

Apache Activ...

Activemq

Redis

Docker

Apache

Rootkit

Bitcoin

Kubernetes

Botnet

Cryptominer

Jenkins

Cybercrime

Payload

Source

Ddos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mirai Malware is associated with Kinsing. Mirai, a malware that targets Internet of Things (IoT) devices, was responsible for over 7 million botnet detections in early 2022. This malicious software infiltrates systems often without the user's knowledge and can steal personal information, disrupt operations, or hold data hostage for ransom.	Unspecified	3
The Mozi Malware is associated with Kinsing. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thous	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Looney Tunables Vulnerability is associated with Kinsing. Looney Tunables is a significant vulnerability in Linux software design and implementation, which has been exploited by various threat actors. This flaw allows for local privilege escalation, providing unauthorized users with elevated access rights within a Linux environment. Multiple experts have r	has used	6
The CVE-2023-46604 Vulnerability is associated with Kinsing. CVE-2023-46604 is a critical vulnerability identified in Apache ActiveMQ, specifically affecting versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3. This flaw, which lies within the Java OpenWire protocol marshaller, allows for Remote Code Execution (RCE) and has been assigned a maximum severity	Unspecified	4
The CVE-2023-4911 Vulnerability is associated with Kinsing. CVE-2023-4911, also known as the "Looney Tunables" vulnerability, is a significant software flaw found in the GNU C Library (glibc), specifically within its dynamic loader ld.so. This buffer overflow issue occurs when processing the GLIBC_TUNABLES environment variable, enabling threat actors to exec	Unspecified	4
The CVE-2017-9841 Vulnerability is associated with Kinsing. CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was ac	Unspecified	2
The Log4Shell Vulnerability is associated with Kinsing. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	2

Source Document References

Information about the Kinsing Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	7 months ago	Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously
Securityaffairs	8 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 462 by Pierluigi Paganini
Securityaffairs	9 months ago	Security Affairs newsletter Round 461 by Pierluigi Paganini