The Hidden Threat in Man Pages: Kinsing Malware Targets Apache Tomcat Servers

The persistent cyber threat known as Kinsing malware has taken a new and sophisticated approach to its cryptojacking campaign. Tenable Research recently uncovered that the malware is now targeting cloud servers, specifically Apache Tomcat servers, by hiding within seemingly innocuous “man” pages (digital system manuals). This marks a significant escalation in Kinsing’s tactics, as it leverages a blind spot in traditional security practices to remain undetected.

Cryptojacking, the unauthorized use of computing resources for cryptocurrency mining, has become a pervasive threat in cloud environments. The Kinsing malware, a longstanding menace to Linux-based systems, is among the leading actors in this illicit activity.

One of the most alarming findings from Tenable’s investigation is Kinsing’s ability to conceal itself in non-suspicious file locations, making detection significantly more challenging. The malware hides in four specific directories, three of which are manual (‘man’) pages, a place defenders rarely check for malicious files. These directories are:

• /var/cache/man/cs/cat1/: Typically used for user-level commands and applications.
• /var/cache/man/cs/cat3/: Usually associated with library functions and programming interfaces.
• /var/lib/gssproxy/rcache/: Linked to the Generic Security Services Proxy (gssproxy), aiding Kerberos authentication.
• /var/cache/man/zh_TW/cat8/: Used for system administration and maintenance commands. The inclusion of the ‘zh_TW’ (Taiwan/Chinese) folder indicates a sophisticated method to evade detection.

These locations are generally reserved for legitimate system files, allowing the malware to blend in seamlessly and avoid scrutiny.

The malicious file detected in these locations is not new; it was first spotted in late 2022 in China. However, the specific attack on the Apache Tomcat server commenced in mid-2023, with creation dates indicating the malware has been active for nearly a year. The embedded cryptominer, XMRig, used in these attacks, is a popular open-source CPU mining software designed for mining Monero, a cryptocurrency known for its privacy features. The observed version of XMRig in this attack is 6.12.2, while the latest version available on GitHub is 6.21.2.

Threat actors continually adapt their methods to exploit new vulnerabilities and evade detection. Organizations must remain vigilant, proactive, and responsive to emerging threats by adopting comprehensive security strategies and staying abreast of the latest threat intelligence.