New Redigo malware drops stealthy backdoor on Redis servers

by | Dec 2, 2022 | News

Redigo malware backdoor redis

Post Views: 320

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Go-based malware Redigo

 

A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution.

CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed in February 2022.

Attackers continued to leverage it on unpatched machines several months after the fix came out, as proof-of-concept exploit code became publicly available.

The name of the malware, Redigo, was coined from the machine it targets and the programming language for building it.

Today, AquaSec reports that its Redis honeypots vulnerable to CVE-2022-0543 caught a new piece of malware that is not detected as a threat by antivirus engines on Virus Total.

 

Redigo coming clean on Virus Total scan
Redigo payload coming out clean on Virus Total scan (AquaSec)

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Redigo attacks

 

AquaSec says that Redigo attacks start with scans on port 6379 to locate Redis servers exposed on the open web. After locating a target endpoint, the atacker connect and run the following commands:

  • INFO – Check the Redis version to determine if the server is vulnerable to CVE-2022-0543.
  • SLAVEOF – Create a copy of the attacking server.
  • REPLCONF – Configure the connection from the attacking server to the newly created replica.
  • PSYNC – Initiate the replication stream and download the shared library ‘exp_lin.so’ on the server’s disk.
  • MODULE LOAD – Load module from the downloaded dynamic library, which is capable of executing arbitrary commands and exploiting CVE-2022-0543.
  • SLAVEOF NO ONE – Covert the vulnerable Redis server into master.
  •  
Commands seen in the Redis honeypot
Commands observed in the Redis honeypot (AquaSec)

 

Using the command execution abilities of the implanted backdoor, the attackers collect hardware info about the host and then download Redigo (redis-1.2-SNAPSHOT). The malware is executed after escalating privileges.

The attackers simulate normal Redis communication over port 6379 to evade detection by network analysis tools while attempting to hide traffing from Redigo’s command and control server.

Due to attack duration limitations in AquaSec’s honeypots, its analysts couldn’t determine exactly what Redigo does after establishing its foothold in the environment.

 

Redigo malware functions
Redigo malware functions (AquaSec)

Trending: Find Hidden Info using Google Dorking manually, and Automated using Pagodo

Trending: Offensive Security Tool: linWinPwn

Mitigation​

 

AquaSec says it’s likely that the ultimate goal of Redigo is to add the vulnerable server as a bot in a network for distributed denial-of-service (DDoS) attacks or to run cryptocurrency miners on the compromised systems.

Also, since Redis is a database, accessing the data to steal it would also be a plausible scenario in Redigo attacks.

For more information on mitigating the Redis flaw, check out the Debian security advisory or Ubuntu’s security bulletin on CVE-2022-0543.

Trending: AXLocker – a new ransomware that encrypts yours files, and then steals your Discord account

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This