New Go-based malware target vulnerable Redis servers
Aqua Nautilus, a cloud security firm, discovered new Go-based malware that targets Redis (remote dictionary server), an open source in-memory database and cache.
The attack was carried out against one of its purposefully vulnerable Redis honeypots, and the vulnerability was tracked as CVE-2022-0543 (CVSS score: 10.0), which is a case of sandbox escape in the Lua scripting engine that could be exploited to gain remote code execution.
The malware, which has yet to be detected by VirusTotal antivirus engines, was written in Golang and was intended to target Redis servers in order for the attacking server to gain control of the compromised machine.
Despite the fact that it was discovered and corrected in February, the attacks involve deploying Redigo while exploiting a critical security vulnerability in the open source, in-memory key-value store that was disclosed earlier this year. Meanwhile, attackers continued to use it on unpatched machines months after the fix was released, as proof-of-concept exploit code became public.
Attacks with Redigo begin with port 6379 scans to find exposed Redis instances, which are then followed by the execution of several commands such as the INFO command, which allows adversaries to receive information about our Redis server, and the SLAVEOF command, which allows threat actors to create a replica of the attacking server and later assist them in downloading the shared object, allowing for the vulnerability to be exploited.
There is also the REPLCONF command, which configures a connection from the master (the attacking server) to the newly created replica, and the PSYNC command, which the new replica runs and initiates a replication stream from the master to keep the replica updated and allow the master to send a stream of commands. The MODULE LOAD command enables the runtime loading of a module from the dynamic library downloaded at stage 4. Finally, the SLAVEOF NO ONE command disables replication and turns the vulnerable Redis server into a master.
Prior to Redigo download and execution, the backdoor collects host hardware information using its command execution capabilities. While Redigo’s processes after gaining a foothold in the environment are unknown due to attack duration limits in Aquasec honeypots, Aquasec researchers believe that vulnerable servers may be added by the malware as a bot for distributed denial-of-service attacks and cryptocurrency mining attacks.
According to the researchers, attackers could also use the malware to facilitate Redis data theft.
The sources for this piece includes an article in Bleepingcomputer.