Backdoor.Linux.KINSING.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following folders:

• /tmp/.ICEd-unix
• /var/tmp/.ICEd-unix

It drops and executes the following files:

• /tmp/kdevtmpfsi

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor executes the following command(s) from a remote malicious user:

• Download and execute a file
• Update downloaded files
• Execute a command
• Execute a command and send output to {Server}/o
• Create an HTTP request
• Create a TCP request
• Brute-force Redis instances

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Process Termination

This Backdoor terminates the following processes if found running in the affected system's memory:

• kdevtmpfsi

Information Theft

This Backdoor gathers the following data:

• OS Version
• OS Name
• OS Architecture

Stolen Information

This Backdoor sends the gathered information via HTTP POST to the following URL:

• {Server}/r

Other Details

This Backdoor does the following:

• This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information:
  • http://{BLOCKED}.{BLOCKED}.88.102
  • http://{BLOCKED}.{BLOCKED}.169.111
  • http://{BLOCKED}.{BLOCKED}.50.255
  • http://{BLOCKED}.{BLOCKED}.87.220
  • http://{BLOCKED}.{BLOCKED}.220.193
• This backdoor receives its commands via HTTP GET to the following URL:
  • {Server}/get

It does not exploit any vulnerability.