S0599 Kinsing
Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. 123
| Item | Value |
|---|---|
| ID | S0599 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 06 April 2021 |
| Last Modified | 26 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Kinsing has communicated with C2 over HTTP.1 |
| enterprise | T1110 | Brute Force | Kinsing has attempted to brute force hosts over SSH.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Kinsing has used Unix shell scripts to execute commands in the victim environment.1 |
| enterprise | T1609 | Container Administration Command | Kinsing was executed with an Ubuntu container entry point that runs shell scripts.1 |
| enterprise | T1610 | Deploy Container | Kinsing was run through a deployed Ubuntu container.1 |
| enterprise | T1133 | External Remote Services | Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API.1 |
| enterprise | T1083 | File and Directory Discovery | Kinsing has used the find command to search for specific files.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | Kinsing has used chmod to modify permissions on key files for use.1 |
| enterprise | T1105 | Ingress Tool Transfer | Kinsing has downloaded additional lateral movement scripts from C2.1 |
| enterprise | T1057 | Process Discovery | Kinsing has used ps to list processes.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.004 | SSH | Kinsing has used SSH for lateral movement.1 |
| enterprise | T1018 | Remote System Discovery | Kinsing has used a script to parse files like /etc/hosts and SSH known_hosts to discover remote systems.1 |
| enterprise | T1496 | Resource Hijacking | Kinsing has created and run a Bitcoin cryptocurrency miner.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.003 | Bash History | Kinsing has searched bash_history for credentials.1 |
| enterprise | T1552.004 | Private Keys | Kinsing has searched for private keys.1 |
| enterprise | T1078 | Valid Accounts | Kinsing has used valid SSH credentials to access remote hosts.1 |
References
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021. ↩↩
-
Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021. ↩