Money Libra

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Money Libra, also known as Kinsing, is a malicious software (malware) that has been active since late 2021. This malware primarily targets cloud-native environments and applications such as Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, and cloud-hosted Apache NiFi instances, with the main goal of deploying cryptominers. The threat actor group behind Money Libra uses sophisticated techniques to exploit vulnerabilities and infiltrate systems, often without the user's knowledge. Once inside, it can disrupt operations, steal sensitive information, or even hold data for ransom. The infection vector for Money Libra was notably different from other cryptojacking-focused worms. It exploited the Redis through CVE-2022-0543, a method not commonly used by other worms targeting Redis instances, such as those created by Adept Libra (aka TeamTnT), Thief Libra (aka WatchDog), Automated Libra (aka PurpleUrchin), Aged Libra (aka Rocke), and Returned Libra (aka 8220). Despite similarities in their target systems and worm-like operations, there are no known links between these groups and Money Libra. In October, the Looney Tunables flaw was disclosed, which Money Libra subsequently leveraged to target cloud environments with malware attacks. This demonstrates the group's adaptability and quick response to newly discovered vulnerabilities, making it a significant threat to cloud-based systems. Overall, Money Libra represents an evolving cybersecurity risk that requires ongoing vigilance and robust defensive measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kinsing	3	Kinsing is a type of malware, short for malicious software, that is designed to exploit and damage computer systems or devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt o
TeamTNT	1	TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Redis

Kubernetes

Malware

Docker

Vulnerability

Apache

Worm

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
P2pinfect	Unspecified	1	P2Pinfect is a malicious software (malware) that has recently been updated to target Redis servers with miners and ransomware, as well as routers and Internet of Things (IoT) devices. This malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Rocke	Unspecified	1	Rocke, also known as the Iron Cybercrime Group, is a significant threat actor in the cybersecurity landscape. Identified by Talos in 2018, Rocke has been linked to various malicious activities, including the deployment of an ELF backdoor for financial gain. The group's primary motivation appears to
Thief Libra	Unspecified	1	Thief Libra, also known as WatchDog, is a threat actor identified in the cybersecurity world for its malicious activities. The group's operations involve exploiting vulnerabilities to execute actions with harmful intent. A notable aspect of Thief Libra's modus operandi involves targeting Redis insta
Adept Libra	Unspecified	1	Adept Libra, also known as TeamTNT, is a malicious threat actor that has been active in cybersecurity breaches since at least July 2021. The group is known for its innovative use of tools such as LaZagne to steal passwords from various operating systems, including Linux distributions in cloud-based

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Looney Tunables	Unspecified	1	Looney Tunables is a significant vulnerability in Linux software design and implementation, which has been exploited by various threat actors. This flaw allows for local privilege escalation, providing unauthorized users with elevated access rights within a Linux environment. Multiple experts have r
CVE-2022-0543	Unspecified	1	CVE-2022-0543 is a critical vulnerability in software design or implementation that was first identified in 2022. This flaw, known as a Lua sandbox escape vulnerability, affects Redis instances and has been exploited by P2PInfect, a self-replicating worm written in the Rust programming language. The

Source Document References

Information about the Money Libra Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Unit42	a year ago	P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
BankInfoSecurity	8 months ago	CISA Urges Patching as Hackers Exploit 'Looney Tunables' Bug
CERT-EU	9 months ago	Looney Tunables bug exploited for cryptojacking
CERT-EU	9 months ago	Looney Tunables bug exploited for cryptojacking - Help Net Security