Researchers observed recent activities surrounding the Kinsing malware, which primarily targets Linux-based cloud infrastructure. Kinsing exploits various vulnerabilities to gain unauthorized access and deploys backdoors and cryptominers. Recent findings show that Kinsing also targets Apache Tomcat servers and uses innovative techniques to remain hidden within the filesystem, increasing the difficulty of detection.
Kinsing malware campaigns exploit vulnerabilities in containers and servers to deploy backdoors and cryptominers. In recent activity, researchers observed the campaign targeting Apache Tomcat. The malware hides in unconventional filesystem locations to avoid detection, such as:
/var/cache/man/cs/cat1/: Typically used for user-level commands./var/cache/man/cs/cat3/: Associated with library functions./var/lib/gssproxy/rcache/: Related to the Kerberos authentication service./var/cache/man/zh_TW/cat8/: Used for system administration commands.
These locations help the malware blend in with legitimate system files. The malicious file detected includes XMRig, an open-source software used for mining Monero cryptocurrency. This particular attack on Tomcat servers has been ongoing since mid-2023.