Connect with us

Hi, what are you looking for?



Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments.

A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments.

Researchers at Aqua Security, who have been tracking the attacks, say that thousands of infection attempts were observed daily. As part of the attack, hackers abuse misconfigured Docker API ports to run an Ubuntu container hosting Kinsing.

The Kinsing malware in the container executes a cryptocurrency miner and then attempts to further spread, targeting both containers and hosts.

All of the observed attacks have the same entry point, with the only difference between them being the IP address an initial shell script is downloaded from. To date, the security researchers identified three different IP addresses.

The shell script was designed to disable security measures and clear logs, as well as to remove rival malware and crypto-miners by killing their applications, deleting associated files, and terminating any running rival malicious Docker containers and deleting their images.

Additionally, the script downloads the Kinsing malware and runs it, achieves persistence via the crontab, and looks for additional commands running in cron to delete them (including its own).

Linux-based, Kinsing is written in Golang. Upon execution, it attempts to communicate with its command and control (C&C) servers in Eastern Europe.

Aqua Security discovered what appear to be dedicated servers for each function of the malware, such as C&C communication, downloading a spread script, and downloading a crypto-miner.

Advertisement. Scroll to continue reading.

The shell script used to spread across the container network passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the like, then attempts to connect to each host using every possible user and key combination through SSH.

The crypto-miner delivered as part of this attack is called kdevtmpfsi and was designed to mine for Bitcoin. It first connects to a host using a log-in request over HTTP to receive additional instructions, and then starts the mining operation.

“This attack stands out as yet another example of the growing threat to cloud native environments. With deployments becoming larger and container use on the rise, attackers are upping their game and mounting more ambitious attacks, with an increasing level of sophistication,” Aqua Security concludes.

Related: Vollgar Campaign Targets MS-SQL Servers With Backdoors, Crypto-Miners

Related: Misconfigured Docker Registries Expose Thousands of Repositories

Related: Less Than Half of Vulnerabilities in Popular Docker Images Pose Risk: Study

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.