Full Report
The RedTail cryptomining malware has been updated to exploit CVE-2024-3400, a vulnerability in PAN-OS. The attackers are using private cryptomining pools for greater control, and the malware now includes advanced antiresearch techniques. It spreads through multiple web exploit...
Analysis Summary
# Tool/Technique: RedTail (Updated Variant)
## Overview
RedTail is a sophisticated cryptomining malware primarily targeting Linux-based systems and network appliances. Recently updated, it has transitioned from utilizing public mining pools to private pools to exert greater control over mining operations and evade detection. It is currently notable for integrating exploits for high-profile vulnerabilities in network security infrastructure.
## Technical Details
- **Type:** Malware family (Cryptojacker)
- **Platform:** Linux, PAN-OS (Palo Alto Networks), and various IoT/Server architectures (x86, ARM).
- **Capabilities:** Vulnerability exploitation, persistence, Monero (XMR) mining, anti-analysis, and lateral movement.
- **First Seen:** Early 2024 (Updated variant targeting CVE-2024-3400 observed April 2024).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0005 - Defense Evasion**
- T1497 - Virtualization/Sandbox Evasion
- T1622 - Debugger Evasion
- T1201 - Password Policy Discovery (via shadow file access)
- **TA0040 - Impact**
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- **Exploit Integration:** Incorporates exploits for **CVE-2024-3400** (Palo Alto Networks PAN-OS GlobalProtect) and other web-facing vulnerabilities (e.g., ThinkPHP, Ivanti Connect Secure).
- **Cryptomining:** Deploys a customized version of the XMRig miner to hijack CPU resources for Monero mining.
- **Persistence:** Deploys cron jobs and modifies shell profile scripts to ensure the malware restarts after system reboots.
### Advanced Features
- **Private Mining Pools:** Moves away from public pools (like SupportXMR) to attacker-controlled private pools to conceal wallet addresses and total hash rate.
- **Anti-Research/Anti-Analysis:**
- Checks for the presence of debuggers and sandbox environments.
- Utilizes obfuscated shell scripts to wrap the binary execution.
- Terminates competing mining processes to ensure maximum resource allocation.
- **Encrypted Communication:** Uses encrypted channels for C2 communication to bypass basic Deep Packet Inspection (DPI).
## Indicators of Compromise
- **File Hashes (SHA256):**
- `e1867c487333908865c1975e6d62325974051010d18d85f8f5370fdf55f30e06`
- `728271607ef89dc779269417036a13e9ed6653288fb573756d11019672685987`
- **File Names:** `f24`, `tail`, `redtail`, `ld-linux.so` (masquerading).
- **Network Indicators:**
- `103[.]214[.]114[.]180` (C2/Hosting)
- `45[.]150[.]67[.]135` (C2)
- `dns[.]redtail[.]cloud` (Mining/C2)
- **Behavioral Indicators:**
- Unexplained high CPU usage by unknown processes.
- Outbound traffic over non-standard ports to unidentified IP addresses.
- Modifications to `/etc/crontab` or `/etc/ld.so.preload`.
## Associated Threat Actors
- Unknown (Current activity suggests a sophisticated financially motivated group with the capability to rapidly weaponize N-day vulnerabilities).
## Detection Methods
- **Signature-based detection:** Update Endpoint Detection and Response (EDR) and Antivirus signatures to flag known RedTail ELF headers.
- **Behavioral detection:**
- Monitor for unauthorized modification of system configuration files in Linux environments.
- Alert on processes executing from `/tmp` or `/dev/shm`.
- Detect high-CPU utilization processes coupled with network connections to known mining ports (e.g., 3333, 4444, 8080).
- **YARA rules:** Scanning for strings related to "XMRig" within obfuscated or packed ELF binaries.
## Mitigation Strategies
- **Patch Management:** Immediately apply updates for **CVE-2024-3400** on PAN-OS devices.
- **Network Segmentation:** Isolate edge devices from the internal management network to prevent lateral movement.
- **Egress Filtering:** Implement strict egress rules to block traffic to known mining pools and suspicious IP ranges.
- **Hardening:** Disable unused services and use Read-Only file systems where possible on network appliances.
## Related Tools/Techniques
- **XMRig:** The underlying open-source mining software.
- **Mirai/Gafgyt:** Similar distribution methods (exploiting IoT/Network vulnerabilities).
- **Advanced Persistence:** Similar to techniques used by the **Kinsing** malware family.