Skip to content

S0599 Kinsing

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. 123

Item Value
ID S0599
Associated Names
Version 1.1
Created 06 April 2021
Last Modified 26 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Kinsing has communicated with C2 over HTTP.1
enterprise T1110 Brute Force Kinsing has attempted to brute force hosts over SSH.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Kinsing has used Unix shell scripts to execute commands in the victim environment.1
enterprise T1609 Container Administration Command Kinsing was executed with an Ubuntu container entry point that runs shell scripts.1
enterprise T1610 Deploy Container Kinsing was run through a deployed Ubuntu container.1
enterprise T1133 External Remote Services Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API.1
enterprise T1083 File and Directory Discovery Kinsing has used the find command to search for specific files.1
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Kinsing has used chmod to modify permissions on key files for use.1
enterprise T1105 Ingress Tool Transfer Kinsing has downloaded additional lateral movement scripts from C2.1
enterprise T1057 Process Discovery Kinsing has used ps to list processes.1
enterprise T1021 Remote Services -
enterprise T1021.004 SSH Kinsing has used SSH for lateral movement.1
enterprise T1018 Remote System Discovery Kinsing has used a script to parse files like /etc/hosts and SSH known_hosts to discover remote systems.1
enterprise T1496 Resource Hijacking Kinsing has created and run a Bitcoin cryptocurrency miner.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.003 Bash History Kinsing has searched bash_history for credentials.1
enterprise T1552.004 Private Keys Kinsing has searched for private keys.1
enterprise T1078 Valid Accounts Kinsing has used valid SSH credentials to access remote hosts.1