Full Report
RedisRaider begins by indiscriminately scanning the IPv4 space for Redis servers open on port 6379. Upon identifying a target, the malware checks the server OS and uses Redis commands to inject a base64-encoded shell script as a cron job. It writes this payload to disk by reco...
Analysis Summary
# Tool/Technique: RedisRaider
## Overview
RedisRaider is a specialized malware campaign targeting misconfigured Redis servers accessible on the internet. Its primary goal is resource hijacking through the deployment of a cryptominer (XMRig) by exploiting the inherent capabilities of the Redis database service to execute commands on the underlying host system.
## Technical Details
- Type: Malware Family / Campaign
- Platform: Linux (Targeting systems running Redis)
- Capabilities: Internet scanning, Redis command injection, cron job persistence, XMRig cryptominer deployment, runtime unpacking, log obfuscation.
- First Seen: May 2025 (based on the provided article publication date)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols
- TA0003 - Persistence
- T1369 - Scheduled Task/Job
- T1369.002 - Cron Job
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1070.004 - Indicator Removal: File Deletion (Implied via log clearing)
- TA0010 - Exfiltration (If communication beyond C2 is observed, though primarily resource hijacking)
## Functionality
### Core Capabilities
- **Initial Access/Reconnaissance:** Indiscriminately scans the IPv4 space specifically for Redis servers listening on the default port 6379.
- **Infection Vector:** Upon identifying a target, it determines the server’s OS and utilizes Redis `SET` commands to inject a base64-encoded shell script.
- **Persistence Mechanism:** The injected script is written to disk by reconfiguring Redis to save its database to `/etc/cron.d/apache`, ensuring periodic execution via the cron scheduler.
- **Payload Delivery:** The initial script downloads the main payload binary from the command and control infrastructure (`a[.]hbweb[.]icu`).
### Advanced Features
- **Payload Execution:** The main payload is a Go-based ELF binary.
- **Runtime Evasion:** The ELF binary uses runtime unpacking routines to unpack a bundled XMRig cryptominer during execution, helping evade static analysis detection.
- **Obfuscation:** Leverages obfuscation tools like Garble on the main binary.
- **Evasion Tactics:** Employs short Time-To-Live (TTL) values (likely for temporary Redis keys where commands might be staged) and attempts to clear logs.
- **Secondary Payload:** Infrastructure also hosts an in-browser Monero miner.
## Indicators of Compromise
- File Hashes: Not provided in context.
- File Names: Not explicitly provided, but the cron job is written to `/etc/cron.d/apache`.
- Registry Keys: Not applicable (Linux target).
- Network Indicators: Initial download URL: `a[.]hbweb[.]icu`
- Behavioral Indicators: Unsolicited connection attempts to port 6379; execution of scripts within `/etc/cron.d/`; observation of XMRig processes running under suspicious parent processes.
## Associated Threat Actors
- Unknown (Described as a campaign, actors not explicitly named in the context provided).
## Detection Methods
- **Signature-based detection:** Signatures for the known C2 domain (`a[.]hbweb[.]icu`). Signatures for the XMRig miner binary (if unpacked binaries are known).
- **Behavioral detection:** Monitoring file writes to the `/etc/cron.d/` directory, especially file names related to web services like `apache`. Monitoring for abnormal outbound connections originating from Redis processes or shell scripts spawned by Redis.
- **YARA rules if available:** Rules targeting the specific Go binary structure or known strings/patterns from the unpacked XMRig miner.
## Mitigation Strategies
- **Resource Hardening:** Ensure Redis servers are never exposed directly to the internet.
- **Configuration:** Implement strong authentication (`requirepass`), bind only to localhost interfaces (`bind 127.0.0.1`), and restrict network access via firewalls to only necessary internal hosts.
- **Principle of Least Privilege:** Ensure user accounts running Redis do not have permissions that would allow easy writing to system directories like `/etc/cron.d/` (though Redis configuration backups control this vector).
- **Monitoring:** Monitor system logs and scheduled jobs for unexpected modifications.
## Related Tools/Techniques
- General Redis exploitation techniques leveraging improper configuration.
- Other known cryptojacking malware that utilizes cloud misconfigurations (e.g., exploiting exposed Docker or Kubernetes APIs).
- Use of XMRig, a common tool in cryptojacking operations.