The security experts at Cado Labs have recently uncovered a new crypto jacking operation that specifically targets vulnerable Redis deployments. The key element of this campaign is the utilization of a command-line file transfer service called transfer[.]sh, which is both open source and freely available.
Although the service has been operational for several years now, with the first commits made to the GitHub repository as early as 2014, instances of its employment for malware dissemination are infrequent.
As per the telemetry data collected by Cado Labs, there appears to be a shift in the trend, with an increase in the frequency of service utilization noticed since the start of the year 2023.
The reasons behind the inclination towards transfer.sh are ambiguous at the moment. However, there’s a possibility that this move is a strategy to dodge detection techniques that rely on identifying typical code hosting domains, including pastebin.com.
Cado Labs, after scrutinizing several malware campaigns that target cloud-based systems, found out that shell scripts are widely used in these attacks. Among these, cryptojacking campaigns, in particular, seem to rely heavily on shell scripts.
It has been observed that in many of these malware campaigns, attackers tend to utilize popular data transfer utilities on Linux to retrieve payloads. In light of this, Transfer[.]sh could potentially replace platforms like Pastebin in the long run as a feasible alternative.
A vulnerable deployment of Redis was exploited by the attackers in order to gain the initial access required for the campaign to be run. Specifically, they created a cron job and saved it to the data store.
By doing so, they were able to force Redis to save the database file directly to one of the subdirectories that will be used to run the cron jobs.
The process of reading and parsing files in a directory by the cron scheduler can lead to arbitrary command execution when the database file is involved as a cron job.
It is important to mention that other cybercriminal groups, such as TeamTNT and WatchDog, have utilized identical attack techniques in their efforts to mine cryptocurrencies through cryptojacking.
On the victim’s compromised system, the primary goal of the malware is to mine cryptocurrency, so the script initiates a series of preliminary procedures to guarantee optimal utilization of the hardware.
Furthermore, the script employs the Linux “sync” command to coerce the kernel into writing the data currently residing in memory buffers to disk.
The malicious payload comprises a script that serves as a precursor to an XMRig cryptocurrency mining program. However, before launching the mining operation, the script executes several preliminary actions, including:-
Freeing up memory
Shutting down rival mining programs
Installing a network scanning tool known as pnscan
The next step involves creating a unique XMRig configuration, which is then saved to the disk. This custom configuration enables the miner to connect with several crypto mining miner.
In recent months, Redigo and HeadCrab were among the cyber threats that had targeted Redis servers, and now with this latest development, the list of such attacks continues to grow.
For a considerable period, malware developers have been utilizing free file or code hosting services as a means of hosting supplementary payloads. This approach enables cybercriminals to operate with a greater degree of anonymity and flexibility in their illicit activities.
The primary aim of this malware campaign is evidently to hijack the computing resources to mine cryptocurrencies. However, it’s worth noting that an unintended outcome could also arise from a system getting infected by this malware.
Indicators of Compromise (IoCs)
Network Security Checklist – Download Free E-Book