Threat Research

Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics Guest Diary – SANS Internet Storm Center

admin
Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics Guest Diary – SANS Internet Storm Center

This article discusses the redtail cryptocurrency mining malware, detailing its execution methods, the threat actors behind it, and the implications for cybersecurity. The analysis highlights the malware’s ability to adapt and exploit vulnerabilities, emphasizing the need for robust protective measures against such threats. Affected: honeypot, Palo Alto Networks’ PAN-OS

Keypoints :

  • redtail is a cryptocurrency mining malware that stealthily installs itself on compromised systems.
  • It has been observed executing on a honeypot four times by three different threat actors.
  • redtail uses scripts to identify CPU architecture and remove existing cryptomining software.
  • A new variant of redtail exploits a vulnerability in Palo Alto Networks’ PAN-OS (CVE-2024-3400).
  • The malware demonstrates advanced tactics for maintaining persistence and evading detection.
  • Protective measures include regular software patching, disabling unused ports, and using strong credentials.
  • Implementing tools like SIEM, Fail2ban, and TCP Wrappers can enhance security against such threats.

MITRE Techniques :

  • T1070.001: Indicator Removal on Host – The threat actor uses clean.sh to remove previous cryptomining software and evidence of its presence.
  • T1059.003: Command and Scripting Interpreter: Windows Command Shell – The threat actor executes commands to manage files and system attributes.
  • T1071.001: Application Layer Protocol: Web Protocols – The malware uses SFTP for transferring malicious files.
  • T1136: Create Account – The threat actor adds an SSH public key to the authorized_keys file to establish a backdoor for persistent access.
  • T1203: Exploitation for Client Execution – The new variant exploits a vulnerability in PAN-OS to gain unauthorized access.

Indicator of Compromise :

  • [IP Address] 5.182.211.148
  • [IP Address] 94.103.125.37
  • [IP Address] 87.120.113.231
  • [File Hash] 7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f (redtail.arm7)
  • [File Hash] cebd34c54c9ac02902ef8554939cf6a34aa8f320ea051e0f3d67d91685a1abf0 (redtail.arm8)
  • Check the article for all found IoCs.

Full Research: https://isc.sans.edu/diary/rss/31568

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint