In a recent cybersecurity threat analysis, it has been revealed that attackers are utilizing a combination of malware, including the Kinsing trojan and cryptomining programs, to target both Windows and Linux/Unix servers. After exploiting vulnerabilities or misconfigurations, the attackers execute infection scripts that aim to prepare the environment, eliminate competing malware, and deploy malicious programs for remote control.
One of the key points to emphasize is that the Kinsing malware targets servers on both Windows and Linux/Unix platforms. This means that the attackers have developed different scripts and binaries to effectively carry out their malicious activities on each type of server. Additionally, the attackers are also known to leave behind exploits as artifacts on the compromised servers, further highlighting the sophisticated nature of these attacks.
A breakdown of the initial scripts used by the attackers reveals two main types: Type I and Type II. Type I scripts are older and specifically designed for the Bourne shell (sh) present on Unix systems, while Type II scripts are tailored for the Bourne again shell (bash), which offers more advanced capabilities. On Windows servers, researchers have observed the use of PowerShell scripts in certain situations, indicating a multi-platform approach by the attackers.
These scripts serve different purposes, with some focused on removing competing infections, others aimed at evading detection, and some dedicated to setting up the next stages of the attack. This involves downloading binaries from specialized download servers that the attackers have set up, showcasing a level of organization and planning in their operations.
Furthermore, researchers have identified 12 different binaries that are dropped during various stages of the attacks, each serving a specific function. Variants of the Kinsing malware, such as kinsing2 and kinsing_aarch64, along with one called b, are all part of the Kinsing malware family. Additionally, variants of XMRig, an open-source cryptocurrency mining program configured to mine Monero, including xmrig.exe, kdevtmpfsl, x, x2, x_arm, and x2_arm, have also been discovered.
These findings underscore the complex nature of the attacks being carried out by these threat actors. By leveraging a combination of malware, including the Kinsing trojan and cryptomining programs, the attackers are able to infiltrate servers on multiple platforms and carry out malicious activities with precision. It is imperative for organizations to remain vigilant against such threats and ensure their systems are properly secured to prevent falling victim to these sophisticated attacks.