In general terms, after exploiting a vulnerability or misconfiguration, the attackers execute a series of infection scripts that prepare the environment, eliminate competing malware, and deploy a cryptomining program and the Kinsing trojan which is used for remote control. These are usually accompanied by a rootkit that’s meant to hide the files and processes of the other components.

It’s worth noting that Kinsing targets both Windows and Linux/Unix servers so it has different scripts and binaries for both platforms. There are also the exploits that can be left behind as artifacts on the compromised servers.

Aqua breaks down these initial scripts into Type I and Type II. Type I scripts seem to be older and written for sh, the Bourne shell present on Unix systems, while Type II are written for bash (Bourne again shell), a newer version of sh that has an extended set of capabilities. On Windows, researchers have also seen PowerShell scripts being used in some situations.

The number of these scripts varies and their purpose is different. Some look for competing infections to remove them, some perform tasks meant to evade detection, and others are used to set up the next stages of the attack, which involve downloading binaries from so-called download servers that the attackers set up.

12 binaries are dropped with variations of the name Kinsing

The researchers have identified 12 binaries that are dropped during various attacks at different stages. Those with variations of the name “kinsing,” such as kinsing2 or kinsing_aarch64 and one called b, are all variants of the Kingsing malware. Those called xmrig.exe, kdevtmpfsl, x, x2, x_arm, and x2_arm are variants of XMRig, an open-source cryptocurrency mining program configured to mine Monero.

Kinsing samples