Researchers from security firm AquaSec discovered a new Go-based malware that is used in a campaign targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis (Remote Dictionary Server) servers.
Redis (remote dictionary server) is an open source in-memory database and cache.
The CVE-2022-0543 flaw is a Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions. The vulnerability, which was rated 10 out of 10 for severity, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine. Juniper Threat Labs researchers reported that the Muhstik botnet has been observed targeting Redis servers exploiting the CVE-2022-0543 vulnerability.
In March 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities Catalog.
The flaw has been fixed in February 2022, but threat actors continue to exploit it in attacks in the wild due to the public availability of a proof-of-concept exploit code.
The attack chain starts with scans for the Redis server exposing port 6379 to the internet, then threat actors attempt to connect and run the following Redis commands:
Attackers loads the library file exp_lin.so and executes the exploit code for the above flaw. The file contains the implementation of the command system.exec which allows the attackers to execute an arbitrary command and launch the attack.
“The first use of the command is activated to receive information about the CPU architecture. The second use of the command is done to download the newly discovered malware from the attacking server – Redigo. After downloading the malware file, the attackers elevate the permissions of the file to execute, and execute it (for malware investigation read below).” reads the analysis published by AquaSec.
Threat actors simulate Redis communication over port 6379 to evade detection.
AquaSec researchers believe that threat actors are using the Redigo malware to infect Redis and add them to a botnet used to launch denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal data from the servers.
The researchers also provided Indicators of Compromise (IOCs) for this threa.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Redis)