Misconfigured Redis servers targeted in new cryptojacking campaign using transfer[.]sh file transfer service to deploy malicious payloads. The attack starts by targeting insecure Redis deployments, which leads to arbitrary code execution, and then the payload is hosted on transfer[.]sh.
The attack installs an XMRig cryptocurrency miner after freeing up memory, terminating competing miners, and installing a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection. The attack is the latest to target Redis servers, following Redigo and HeadCrab in recent months.
Avertium has also disclosed a new set of attacks in which SSH servers are brute forced to deploy the XorDdos botnet malware on compromised servers with the goal of launching DDoS attacks against targets located in China and the U.S.
The company observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October 6, 2022, and December 7, 2022, which were attributed to a threat actor based in China.
The scanning identified an open port, which was subject to a brute-force attack against the ‘root’ account using a list of approximately 17,000 passwords, and once successful, a XorDDoS bot was installed.
Cado Security, which discovered the Redis attack campaign, noted that it could have unintended effects, as reckless configuration of Linux memory management systems could easily result in corruption of data or the loss of system availability.
The cybersecurity firm also highlighted the use of transfer[.]sh, an ideal tool for hosting and delivering malicious payloads, with the campaign potentially attempting to evade detections based on other common code hosting domains such as pastebin[.]com.
Similar attack mechanisms have been employed by other threat actors like TeamTNT and WatchDog in their cryptojacking operations.
