Threat Research

RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale

DataDogHQ
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale
EXTRACT IOC
Datadog researchers uncovered RedisRaider, a Linux cryptojacking worm exploiting unsecured Redis servers globally. It uses advanced obfuscation, cron job injection, and runtime unpacking to deploy XMRig miners and also hosts an in-browser Monero miner for multi-vector attack. (Affected: Linux servers, Redis platforms, Cryptocurrency mining sector)

Keypoints :

  • RedisRaider targets publicly accessible Redis servers on Linux by scanning the IPv4 space randomly.
  • The malware exploits Redis using legitimate commands to write cron jobs that execute cryptojacking payloads.
  • Its primary payload, written in Go, is heavily obfuscated with Garble and contains a packed XMRig miner unpacked at runtime.
  • The campaign also hosts a web-based Monero miner, indicating multi-pronged revenue generation.
  • Anti-forensic techniques include short TTL on malicious Redis keys and deletion of evidence after exploitation.
  • RedisRaider attempts to authenticate with hardcoded credentials if Redis authentication is enabled.
  • It uses Redis’s CONFIG commands to write cron jobs to /etc/cron.d and persist mining activities.
  • The malware propagates worm-like by scanning and infecting new Redis servers continuously using concurrent Goroutines.
  • The payload performs system checks such as CPU cores and resource limits before deploying the miner.
  • Defense recommendations include running Redis in protected mode, enabling strong authentication, and conducting continuous monitoring.

MITRE Techniques :

  • Network Scanning (T1046) – RedisRaider scans large portions of IPv4 to identify exposed Redis servers.
  • Valid Accounts (T1078) – Attempts to authenticate Redis servers using hardcoded credentials.
  • Command and Scripting Interpreter (T1059) – Uses Redis commands including SET, CONFIG, and INFO to control execution and persistence.
  • Scheduled Task/Job (T1053) – Injects malicious cron jobs by writing configuration files to /etc/cron.d.
  • Obfuscated Files or Information (T1027) – Uses Garble Go obfuscation and custom packing to conceal payload.
  • Binary Padding (T1008) – Embeds a packed XMRig miner inside the Go payload and unpacks it at runtime.
  • File Deletion (T1107) – Deletes malicious Redis keys (del t) to cover tracks after exploitation.
  • Exploit Public-Facing Application (T1190) – Exploits Redis servers exposed without adequate protection.
  • Remote File Copy (T1105) – Downloads the payload file from remote HTTP servers using curl or wget.
  • Process Injection (T1055) – Executes the XMRig miner in the background using nohup to evade termination.

Indicator of Compromise :

  • The article describes IP addresses scanned or used by RedisRaider such as 58.229.206.107 and random IPv4 addresses for scanning targets.
  • It references specific URLs hosting payloads, e.g., http://a.hbweb.icu:8080/uploads/2024-7/99636-5b0c-4999-b.png used to deliver the initial payload.
  • Hashes of the primary payload and miner binaries are given (e.g. SHA-256: 8d2efe92846cdf9c258f0f7…, 7b2314bf8bf26ce3f3458…).
  • Redis key names and commands exploited (e.g., key ‘t’ with base64-encoded cron job) can help detect exploitation attempts.
  • Authentication attempts using common or hardcoded credentials such as ‘default:123456’ are IOC indicators.

Read more: https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconfigured-redis/

Views: 37

Tags: LINUX, PERSISTENCE, BLOCKCHAIN, DISCOVERY, INITIAL ACCESS, PASSWORD, WORM, EXPLOIT