Linking Kinsing to SaltStack
Golang RAT + Monero miner
In May 2020, security vendors linked Kinsing to an additional campaign: one exploiting SaltStack CVE-2020-11651 and CVE-2020-11652. Initial reports were posted via Twitter and were later followed by reporting from various sources. Intezer took the lead on this documentation, demonstrating through an analysis of code similarities that the samples seen in SaltStack exploits were related to the Kinsing RAT. In this section, I want to walk through some of the similarities between the Kinsing RAT used in the SaltStack campaign relative to malware used in previous campaigns because it will prove useful to further tie Kinsing to additional exploitation activity.
First, in observing the TTPs involved for the SaltStack campaign, we can determine the affected SaltStack services were exploited to download and execute scripts that are similar to the function and structure of previous Kinsing campaigns. The actor shows the tendency to use single-letter names on their shell scripts, move laterally via SSH, manipulate cron jobs for persistence, and perform
md5sum hash checking to verify malware integrity before execution.
In the execution of the malware, two binaries showed up: a Golang-based RAT and a XMRIG miner. This matches previous Kinsing campaigns.
Matching Monero wallet address
One of the strongest ties between the SaltStack campaign and the previous H2Miner/Kinsing campaigns is the presence of a shared Monero wallet address:
This wallet address appeared in miner samples from the Docker host, Redis, and SaltStack compromises. As in previous samples, the ones from the SaltStack campaign contained an embedded JSON-formatted configuration file for XMRIG.
This does not necessarily indicate that all the campaigns were performed by the same actor, but it does suggest that the funds from all the campaigns made a stop in the same account/wallet before distribution. After entering this wallet, the funds could funnel through a laundering operation or the operators could convert it to different currencies for distribution.
The play’s the thing: Hamlet in the binary strings
Another piece of evidence tying the SaltStack campaign to previous H2Miner/Kinsing campaigns was the presence of the text of Hamlet by William Shakespeare, in its entirety, in the RAT’s binary strings. This additional text bloated the RAT binary to 15MB in size and provided some entertainment during analysis of the malware. In all reality, the padding didn’t prove to slow down analysis greatly. Its inclusion could reflect the adversary’s desire to increase the malware’s file size, as antivirus configurations sometimes exclude files above a specified size.
Embedded “masscan” script in binary
Another piece of familiar evidence appeared in the
salt-store Golang RAT binary from the SaltStack campaign: an embedded shell script that incorporated
masscan functionality. As with the previous campaigns, the embedded shell script deployed dependencies, referred to the
masscan binary as “firewire,” and called
masscan with the exact same command-line arguments.
Linking Kinsing to Citrix ADC
Golang RAT + Monero miner
In January 2020, the year started off with several malware families conducting campaigns against Citrix Application Delivery Controller (ADC) devices via CVE-2019-19781. While Kinsing and H2Miner have not been formally tied to an ADC campaign, we’ve found enough evidence in both public research and our own analysis to assess with high confidence that Kinsing malware was used in the ADC campaign.
During one campaign, a Golang RAT and Monero miner component appeared in Citrix ADCs. An awesome blog post from IronNet discusses these findings in detail. First, IronNet dove into analysis of a malicious
nspps Golang binary masquerading as a legitimate ADC process named
nsppe. This malware contained capabilities to encrypt C2 traffic, use SOCKS proxies, execute commands, run a XMRIG miner, and run
When analyzing the C2 protocol used by nspps, IronNet noted these network POST requests:
The article includes a detailed summary of these calls, which when compared to C2 calls documented by Trend Micro show evidence that
nspps and Kinsing malware both use similar, if not the exact same, C2 protocols.
Analysis also determined
nspps contained incredibly similar tasking capabilities:
In our own analysis, Red Canary found that numerous binary strings were shared across the
nspps binary and previous Kinsing malware samples. The entirety of Hamlet did not appear in this binary, but we did find other similarities.
In the Citrix ADC campaign,
nspps deployed a XMRIG miner named
netscalerd. This binary was named to again masquerade as a system process as ADCs were once named Citrix Netscaler devices. As with former Kinsing campaigns, numerous strings within the binary showed an embedded
config.json configuration file and the expected usage instructions for an XMRIG binary.