An ISC guest diary analyzes the modern coin miner malware variant “redtail” and its capabilities across four CPU architectures, showing how attackers gain initial SSH access, upload payloads, and establish persistence on compromised hosts. The report traces two IPs (193.222.96.163 and 45.95.147.236) that repeatedly submit redtail and setup.sh files to a honeypot, corroborating malicious behavior with VirusTotal and AbuseIPDB data.
#redtail #coinminer #SSH #honeypot #setup.sh #VirusTotal #AbuseIPDB #193.222.96.163 #45.95.147.236
#redtail #coinminer #SSH #honeypot #setup.sh #VirusTotal #AbuseIPDB #193.222.96.163 #45.95.147.236
Keypoints
- Redtail is a modern coin miner variant capable of running on four CPU architectures (arm7, arm8, i686, x86_64).
- Attackers gain initial access via SSH, using credentials like root/Passw0rd123 after a failed login attempt.
- Uploaded payloads include redtail.arm7, redtail.arm8, redtail.i686, redtail.x86_64, and setup.sh to a honeypot.
- setup.sh detects host architecture, copies the appropriate redtail binary to .redtail, and executes it, then removes originals.
- Persistence is achieved by adding a public key to ~/.ssh/authorized_keys.
- Two IPs, 193.222.96.163 and 45.95.147.236, account for most activity and file uploads—both associated with NL-based infrastructure.
- VirusTotal and AbuseIPDB data corroborate maliciousness, with 28 unique hashes and repeated setup.sh file submissions.
MITRE Techniques
- [T1021.004] SSH – Remote Services – The actor logs in via SSH on port 2222 using credentials such as root/Passw0rd123; “successfully logs in using the root/Passw0rd123 credentials.”
- [T1105] Ingress Tool Transfer – The actor uploads 5 files to the honeypot, including redtail.arm7, redtail.arm8, redtail.i686, redtail.x86_64, setup.sh; “uploads a total of 5 files to the honeypot (redtail.arm7, redtail.arm8, redtail.i686, redtail.x86_64, setup.sh)”.
- [T1059.004] Unix Shell – The actor executes the setup.sh via shell: “chmod +x setup.sh; sh setup.sh;”
- [T1098] SSH Authorized Keys – The actor adds a public key to ~/.ssh/authorized_keys to establish persistent access; “adds a custom public key to the ~/.ssh/authorized_keys file”
- [T1562.004] Impair Defenses – The actor modifies iptables rules; “modifying iptables rules”.
- [T1053.005] Cron – The actor uses cron by executing crontab; “executing crontab”.
- [T1027] Obfuscated/Compressed Files and Information – The binaries show UPX packing common in coin miners; “UPX packing common in other coin miners”.
Indicators of Compromise
- [IP] 193.222.96.163 – primary attacker IP observed connecting to the honeypot over SSH on 2222; multiple file uploads; “193.222.96.163 … uploaded ‘redtail’ and ‘setup.sh’ files.”
- [IP] 45.95.147.236 – second IP observed; brute force login then later “redtail” and “setup.sh” uploads; profile shows other SSH activity.
- [File] redtail.arm7, redtail.arm8, redtail.i686, redtail.x86_64, setup.sh – uploaded to honeypot; 28 unique hashes across submissions; “VirusTotal score at least 19”.
- [File] .redtail – created on host by the script and executed; “copies contents of the relevant redtail executable to the ‘.redtail’ file” and executes it.