{
	"id": "6f5666b2-cd80-4ae7-8185-ea3736c02ec4",
	"created_at": "2026-04-06T00:08:14.447224Z",
	"updated_at": "2026-04-10T13:12:03.043419Z",
	"deleted_at": null,
	"sha1_hash": "e9cfdeb502225cc61099224da32e12c08606b296",
	"title": "Analysis of Kinsing Malware's Use of Rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100790,
	"plain_text": "Analysis of Kinsing Malware's Use of Rootkit\r\nBy By: David Fiser Nov 24, 2020 Read time: 3 min (835 words)\r\nPublished: 2020-11-24 · Archived: 2026-04-05 17:19:09 UTC\r\nSeveral shell scripts accompany Kinsing. These shell scripts are responsible for downloading and installing, removing, and\r\nuninstalling various resource-intensive services and processes. This blog post focuses on the role of the rootkit component.\r\n \r\nWe last discussed the Kinsing malware in April 2020, when we analyzed the Golang-based Linux agent targeting\r\nmisconfigured Docker Daemon API ports to drop cryptocurrency miners.\r\nWith the constant evolution of shell scripts and Linux based malicious backdoors and agents, it’s not surprising that the\r\ncreators of Kinsing have kept in step. In this entry, we discuss the malware variant’s current capabilities, including the\r\naddition of features intended to make it more difficult to detect in infected machines. Similar to how the Trident malware\r\nuses a rootkit to hide the cryptocurrency mining payload, Kinsing also adapted the method integrating user-mode rootkits\r\nthat use library preloading.  \r\nSeveral shell scripts accompany the malware itself. These shell scripts are responsible for downloading and installing the\r\nKinsing backdoor, miner, and rootkit, as well as removing and uninstalling various resource-intensive services and\r\nprocesses. These scripts are similar to those discussed in the entries mentioned above. This blog post will focus on the\r\nrootkit component.\r\nTechnology analysis\r\nThe first step of the process involves the deployment of the shell script trying to remove the immutable file flag from\r\n/etc/ld.so.preload if it exists. \r\nFigure 1. Removing the immutable file flag\r\nThe /etc/ld.so.preload file preloads a list of paths to shared objects or libraries that will be loaded into every user-mode\r\nprocess on startup before any other shared library — including the C runtime library (libc.so). By default, this file is not\r\npresent inside Linux distributions; therefore, it has to be created on purpose.\r\nNext, the downloader downloads the rootkit into /etc/libsystem.so, after which a new /etc/ld.so.preload is created. The link\r\nto the rootkit is then added to the /etc/ld.so.preload file. \r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nPage 1 of 5\n\nFigure 2. Downloading the rootkit and creating persistence\r\nNote that removing from or writing files into the /etc/ directory is a privileged operation; therefore, it is highly\r\nrecommended to follow the principle of least privilege and not run applications or containers under root permissions.\r\nThe Kinsing malware also works under lower privileges but without its advanced persistence and rootkit functions.\r\nFigure 3. Setting up the persistence function\r\nUser-level persistence of the downloaded Kinsing malware is achieved by registering it as the system service called “bot.”\r\nAnother level of persistence is achieved via cron, where the installation script is repeatedly downloaded and executed.\r\nFigure 4. The cron persistence\r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nPage 2 of 5\n\nRootkit analysis\r\nThe rootkit contains the list of hidden literals and the list of non-hooked symbols (native functions that will be hooked, but\r\nthey need their original addresses to be resolved and saved for later use). These lists are encrypted by a single-byte XOR.\r\nFigure 5. The decryption algorithm used to obtain the names of hidden literals and hooked functions\r\nThe functions hooked by the rootkit are as follows:\r\naccess\r\nrmdir\r\nopen\r\nreaddir\r\nreaddir64\r\nstat\r\nstat64\r\n__xstat\r\n__xstat64\r\nlstat\r\nlstat64\r\n__lxstat\r\n__lxstat64\r\nfopen\r\nfopen64\r\nlink\r\nunlink\r\nunlinkat\r\nThe rootkit implements the following functions:\r\nis_attacker\r\nThis is used to determine if the attacker calls the process by checking the presence of the environment variable called SKL.\r\nis_hidden_file\r\nIf the file names are kinsing (backdoor \u0026 worm process), kdevtmpfsi (cryptomining process), or lib_system.so (rootkit), it\r\nreturns the code EPERM = Operation not permitted.\r\nWhile looking into the /proc/ directory, the rootkit searches for the environment file in the directory of the process and\r\nvariable SKL to decide if the said directory should be hidden or not.\r\nhide_tcp_ports\r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nPage 3 of 5\n\nUsed to parse files in /proc/net/tcp  or /proc/net/tcp6, which maintain the lists of the currently active TCP connections. It\r\nextracts remote IP addresses and compares them with hidden literals. If there is a match, information about the TCP\r\nconnection is hidden from the listing.\r\nreaddir\r\nIf the attacker executes the process (SKL environment variable is set for the process calling readdir function), then readdir\r\nworks with no restrictions.\r\nIf the current directory is /proc and the process name is kinsing or kdevtmpfsi, the directory item is omitted from the\r\ndirectory listing. If it is '.' or a hidden file (kinsing, kdevtmpfsi,  lib_system.so), then it omits these files.\r\nFor other hooked functions, the process that the attacker runs is allowed to invoke all operations without limitation. For\r\nother processes (not run by attacker), it returns an ENOENT = No such file or directory error code if a hidden file is\r\naccessed.\r\nFurther searching revealed that the threat actor reuses the publicly available beurk rootkit, but with several custom\r\nmodifications.\r\nFigure 6. The beurk rootkit repository\r\nConclusion\r\nKinsing is still highly active and continually evolving. Adding the rootkit component hides the presence of malicious\r\ncomponents in the infected system. Reusing publicly available source codes presents a popular option for malicious actors,\r\ngiving them an easier way to add new functions to their malware.\r\nIndicators of Compromise (IOCs)\r\nHash (SHA-256)   Detection name\r\n4CE4F3EA11D62518C3C6248FB827E72628A0750AD4C4BD7E69D62C444F5FDB04\r\nInstallation\r\nscript\r\nTrojan.SH.KINSING.E\r\nD5F089EA1B007AE0796D7D44B5A282C20195B074FEEBC113D7A1FD0D61C8C496\r\nInstallation\r\nscript\r\nTrojan.SH.KINSING.E\r\n000BEF7B8B56BDB86606A03C6EC3887EC0F1EB5DC507F60144656C8046D89B2E \r\nInstallation\r\nscript\r\n \r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nPage 4 of 5\n\n7F44FE4766AEB78B65EE014864E49A76D2E61B2198A356F23060F48A5F057411\r\nInstallation\r\nscript\r\n \r\n1635095EA081FBF1B7C2CF3A88C610D0BCCBFD5B470F1E49AA093B086D21FFC8\r\nSpreader\r\nscript\r\nTrojan.SH.KINSING.E\r\nC38C21120D8C17688F9AEB2AF5BDAFB6B75E1D2673B025B720E50232F888808A Rootkit Trojan.Linux.KINSING.AA\r\nCCFDA7239B2AC474E42AD324519F805171E7C69D37AD29265C0A8BA54096033D\r\nKinsing\r\nmalware\r\nCoinminer.Linux.MALBTC\r\nC\u0026C IP addresses:\r\n45[.]129[.]2[.]107\r\n45[.]156[.]23[.]210\r\n45[.]142[.]214[.]48\r\n93[.]189[.]46[.]81\r\n95[.]213[.]224[.]21\r\n95[.]181[.]179[.]88\r\n176[.]96[.]238[.]176\r\n185[.]156[.]179[.]225\r\n185[.]221[.]154[.]208\r\n185[.]237[.]224[.]182\r\n185[.]154[.]53[.]140\r\n185[.]87[.]48[.]183\r\n193[.]164[.]150[.]99\r\n194[.]87[.]102[.]77\r\n212[.]22[.]77[.]79\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html"
	],
	"report_names": [
		"analysis-of-kinsing-malwares-use-of-rootkit.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9cfdeb502225cc61099224da32e12c08606b296.pdf",
		"text": "https://archive.orkl.eu/e9cfdeb502225cc61099224da32e12c08606b296.txt",
		"img": "https://archive.orkl.eu/e9cfdeb502225cc61099224da32e12c08606b296.jpg"
	}
}