200. Threat Actors Eliminate Competitors from Compromised Systems
Hello everyone! It's not a secret that in some cases a network can be already compromised. And in some cases by threat actors with the same goal. What are new unwanted guests going to do? Yes, eliminate the competitors! Today we're going to talk about another very common threat - miners. One may say it's not a real threat, but beleive me, I saw cases where the whole enterprise was disrupted due to such infection. So, let's look at Kinsing (we track this activity cluster as Resourceful Wolf ). It abuses pkill to terminate a list of processes related to other cryptominers, for example: pkill -f .git/kthreaddw pkill -f 80.211.206.105 pkill -f 207.38.87.6 pkill -f p8444 pkill -f supportxmr pkill -f monero pkill -f kthreaddi pkill -f srv00 pkill -f /tmp/.javae/javae pkill -f .javae pkill -f .syna pkill -f xmm pkill -f solr.sh pkill -f /tmp/.solr/solrd pkill -f /tmp/javac pkill -f /tmp/.go.sh pkill -f /tmp/.x/agetty pkill -f /tmp/.x/kworker pkill -f c3pool pkill -f /tmp/.X11...