February 4, 2023

Researchers discovered a new Go-based malware that is used in a campaign targeting Redis servers, which is an open-source im-memory database and cache. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543.

This particular flaw is a Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions. The vulnerability, with a CVSS score of 10, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine.

Juniper Threat Labs researchers reported that the Muhstik botnet has been observed targeting Redis servers exploiting the CVE-2022-0543 vulnerability.

The flaw has been fixed in February 2022, but threat actors continue to exploit it in attacks in the wild due to the public availability of a proof-of-concept exploit code.

The attack chain starts with scans for the Redis server exposing port 6379 to the internet, then threat actors attempt to connect and run the following Redis commands:

  1. INFO command 
  2. SLAVEOF command
  3. REPLCONF command
  4. PSYNC command
  5. MODULE LOAD command
  6. SLAVEOF NO ONE command

Attackers loads the library file exp_lin.so and executes the exploit code for the above flaw. The file contains the implementation of the command system.exec which allows the attackers to execute an arbitrary command and launch the attack.

The first use of the command is activated to receive information about the CPU architecture. The second use of the command is done to download the newly discovered malware from the attacking server – Redigo. After downloading the malware file, the attackers elevate the permissions of the file to execute, and execute it.

Threat actors simulate Redis communication over port 6379 to evade detection.

Researchers believe that threat actors are using the Redigo malware to infect Redis and add them to a botnet used to launch DDoS attacks, run cryptocurrency miners, or steal data from the servers.

This research was documented by researchers from Aqua Nautilus

Indicators Of Compromise

  • IP 45.41.240.51
  • a755eeede56cbce460138464bf79cacd
  • c3b9216936e2ed95dcf7bb7976455859

Leave a Reply

%d bloggers like this: