Kinsing malware (kdevtmpfsi) - how to kill - createIT
Get a free advice now!

    Pick the topic
    Developer OutsourcingWeb developingApp developingDigital MarketingeCommerce systemseEntertainment systems

    Thank you for your message. It has been sent.
    Blog
    Category
    Tags

    Kinsing malware (kdevtmpfsi) – how to kill

    December 23, 2022
    Last update: August 29, 2024
    3 min read
    63
    1
    0
    Kinsing malware (kdevtmpfsi) – how to kill

    CHALLENGE: Apache server is working really slow. The Docker process, called kdevtmpfsi is using 100% processor and server memory.

    SOLUTION: Create a bash script to kill the kdevtmpfsi process.

    This article has been reviewed and updated in August 2024 to make it up to date and fully functional.

    Kinsing malware is targeting misconfigured Docker containers, especially redis instances (port 6379). The malware is running a linux process in the background: kdevtmpfsi, which is occupying server processor and memory. The main purpose of the virus is to set up a cryptocurrency miner. It seems that container environment attacks have been on the rise recently, with a huge spike in the number of cases in March 2020. Below, we provide a number of possible solutions to tackle the problem.

    Identify the issue with kdevtmpfsi

    Having root access to the server can help to find and delete the malware.

    # Check if the malicious process is running
    htop

    # Find infected files:
    find / -name kdevtmpfsi
    find / -name kinsing

    Proper fix

    Properly configured Docker with updated dependencies should resolve the issue.

    Fix solution 2

    Another solution will be to block the process from executing. This solution was described on Koacervate’s blog: https://koacervate.blogspot.com/2020/05/your-containers-cpu-usage-is-more-than.html?m=0

    Alternative solution

    If you still have the problem, we came up with an alternative solution:
    – prepare a bash script that will kill the process every 20 seconds
    – run the bash script in the background

    Bash script

    # /root/scripts/ctKillProc.sh
    #!/bin/sh
    # do what you need to here
    while true; do
    processId=$(ps -ef | grep ‘kdevtmpfsi’ | grep -v ‘grep’ | awk ‘{ printf $2 }’)
    echo $processId
    kill -9 $processId
    echo “[“`date +%Y%m%d%H%M`”] kdevtmpfsi killed.”
    sleep 20
    done
    exit 1

    Run the script in the background

    nohup sh /root/scripts/ctKillProc.sh &

    Now, the script will be executing in the background solving your Kinsing malware problem even if you close shell connection,.
    Script logs can be found in the nohup.out file.

    What’s new about kdevtmpfsi in 2024?

    As of 2024, cybersecurity researchers have uncovered new dimensions of the malware disguised as kdevtmpfsi. Earlier thought to be a less sophisticated part of illicit cryptocurrency mining operations, recent investigations have revealed that kdevtmpfsi has evolved with more complex functionalities. Below are the key updates:

    Key Developments in 2024:

    Advanced Obfuscation Techniques:

    Kdevtmpfsi has integrated advanced code obfuscation techniques to hinder detection and analysis by security tools. It uses polymorphic code signatures, which change with each infection, making it harder for antivirus solutions to recognize and block it.

    Persistence Mechanisms:

    Researchers have found that kdevtmpfsi now employs more persistent methods to survive system reboots and updates. It modifies low-level system files and registry keys, making manual removal increasingly challenging.

    Fileless Malware Capabilities:

    New instances of kdevtmpfsi have been observed operating in a fileless manner, residing entirely in memory. This makes it particularly difficult to detect and remove since it leaves no trace on the hard drive.

    Dynamic Command and Control (C2) Communications:

    The malware has updated its C2 communication protocols, using encrypted channels and frequently changing C2 servers to avoid being blacklisted. It employs domain generation algorithms (DGAs) to dynamically fetch new command servers.

    Targeted Attacks:

    It has shifted from random, widespread attacks to more targeted campaigns. Specific sectors such as healthcare, finance, and critical infrastructure have been identified as high-value targets, indicating a move towards more strategic cyber-espionage efforts.

    Anti-Forensic Techniques:

    Enhanced anti-forensic techniques have been embedded within kdevtmpfsi. These include self-deletion routines once tasks are accomplished and the ability to detect virtual environments or sandboxes, preventing researchers from analyzing the malware in controlled settings.

    More info on Kinsing:
    https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/
    https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

    Do you need someone to implement this solution for you? Check out our specialists for hire in the web development outsourcing or custom web application development pages!

    Maciej
    Written on: December 23, 2022
    Maciej
    Technical Consultant
    1
    0
    Share
    Contents
    Tags
    Category
    Meet our authors
    Aleksander Fredrych
    Alex
    Co-founder & CTO
    Monika Regulska
    Monika
    Head of Marketing
    Yuriy
    Yuriy
    Client's Ambassador
    Grzegorz Oleksa
    Grzegorz
    Content Specialist
    Maciej Brzeziński
    Maciej
    Technical Consultant
    Popular news
    Automating stock and price updates in WooCommerce

    Automating stock and price updates in WooCommerce

     September 23, 2024 by createIT
    Integrating advanced subscription features in WooCommerce

    Integrating advanced subscription features in WooCommerce

     September 16, 2024 by createIT
    Fetching Time records from ActiveCollab API

    Fetching Time records from ActiveCollab API

     September 9, 2024 by createIT
    Docker Compose for PrestaShop

    Docker Compose for PrestaShop

     September 2, 2024 by createIT
    WordPress wizard in admin – step by step

    WordPress wizard in admin – step by step

     August 29, 2024 by createIT
    Order Status Sync between PrestaShop and External APIs

    Order Status Sync between PrestaShop and External APIs

     August 26, 2024 by createIT
    What is PHP used for in web development 

    What is PHP used for in web development 

     August 22, 2024 by createIT
    The AI revolution – how artificial intelligence reshapes the industries of today

    The AI revolution – how artificial intelligence reshapes the industries of today

     August 19, 2024 by createIT
    Automating WooCommerce product availability date

    Automating WooCommerce product availability date

     August 15, 2024 by createIT
    WP Quiz Adventure – FAQ

    WP Quiz Adventure – FAQ

     August 12, 2024 by createIT
    Show more

    Support – Tips and Tricks
    All tips in one place, and the database keeps growing. Stay up to date and optimize your work!

    Contact us