The RedTail cryptocurrency mining malware has incorporated a newly disclosed security flaw affecting Palo Alto Networks firewalls into its suite of exploits. This vulnerability, tracked as CVE-2024-3400 with a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall. Following a successful exploit, the malware downloads and runs a bash shell script from an external domain to retrieve the RedTail payload tailored to the CPU architecture.
In addition to the PAN-OS vulnerability, RedTail exploits other known security flaws in TP-Link routers, ThinkPHP, Ivanti Connect Secure, and VMware Workspace ONE Access and Identity Manager. This malware, first documented in January 2024, initially leveraged the Log4Shell vulnerability for deployment on Unix-based systems. Recent updates to RedTail have introduced new anti-analysis techniques and an encrypted mining configuration to enhance its operational efficiency.
The latest version of RedTail, detected in April, shows a shift towards using private mining pools instead of public cryptocurrency wallets. This change suggests the attackers are aiming for greater control over mining outcomes, despite the higher operational and financial costs associated with private pools. The malware now employs advanced evasion and persistence techniques, including forking itself multiple times to avoid detection and terminating instances of GNU Debugger it encounters.
Akamai’s researchers highlight that RedTail’s sophistication and the use of private crypto-mining pools are reminiscent of tactics used by the North Korea-linked Lazarus Group. While the exact perpetrators remain unidentified, the level of polish and resource investment in RedTail indicates the possibility of nation-state sponsorship. The attackers’ deep understanding of crypto-mining and their efforts to optimize operations further underscore the advanced nature of this threat.
