Security firm Tenable says its Cloud Security Research Team recently discovered that the Kinsing malware, which is known to target Linux-based cloud infrastructure, is exploiting Apache Tomcat servers using what it claims are "new advanced stealth techniques".
In a blog post, the company said Kinsing was a notorious malware family which had been active for several years. The threat actors behind Kinsing normally installed backdoors and cryptocurrency miners on systems. Kinsing used system resources for cryptomining, leading to higher costs and slower server performance.
In attacking Apache Tomcat servers, Kinsing used new techniques to hide on the filesystem, including utilising innocent and non-suspicious file locations for persistence.
Apache Tomcat is an open source server that provides static data (like images and other static content), making it fully accessible from the Internet and, therefore, an attractive attack surface.
{loadposition sam08}The blog post said Tenable's cloud security team had found Kinsing hiding in the following four locations on Linux systems:
/var/cache/man/cs/cat1/: typically used for user-level commands and applications.
/var/cache/man/cs/cat3/: usually associated with library functions and programming interfaces.
/var/lib/gssproxy/rcache/: The gssproxy (Generic Security Services Proxy) is a service that provides a proxy interface to the Kerberos library, making it easier for applications to use Kerberos authentication.
/var/cache/man/zh_TW/cat8/: used for system administration and maintenance commands. Note the tz_TW folder – this is a Taiwan / Chinese folder. We can assume that the attackers have managed to create this directory structure as part of their malware installation and assume they won’t get discovered on this path.
"These locations are typically used for legitimate system files, allowing the malware to blend in and avoid detection. By leveraging these seemingly innocuous paths, the attackers increase the chances of their malware staying unnoticed on compromised systems," the post said.
The malicious file itself detected was not new, being first spotted at the end of 2022 in China. The specific attack on the Tomcat server started in mid-2023 based on the creation dates:
var/cache/man/cs/cat3/ 06/22/2023
var/cache/man/zh_TW/cat8/ 07/04/2023
var/cache/man/cs/cat1/ 07/30/2023
The security team said: "We see that the malicious operation has been active for almost a year without anyone noticing it. The malware has a cryptominer embedded in it called XMRig.
"XMRig is an open-source CPU mining software used for the mining of Monero, a cryptocurrency with high privacy. In the figure below, we can see that the version of XMRig is 6.12.2, while the current version on GitHub is 6.21.2."
“Cloud cryptomining has become an emerging trend in recent years, powered by the scalability and flexibility of cloud platforms,” said Ari Eitan, manager – Research, Tenable.
“Unlike traditional on-premises infrastructure, cloud infrastructure allows attackers to quickly deploy resources for cryptomining, making it easier to exploit. In this case, we've detected multiple Kinsing infected servers within a singular environment, including an Apache Tomcat server with critical vulnerabilities.”