ClickCease New Go-based malware target vulnerable Redis servers

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New Go-based malware target vulnerable Redis servers

Obanla Opeyemi

December 12, 2022 - TuxCare expert team

Aqua Nautilus, a cloud security firm, discovered new Go-based malware that targets Redis (remote dictionary server), an open source in-memory database and cache.

The attack was carried out against one of its purposefully vulnerable Redis honeypots, and the vulnerability was tracked as CVE-2022-0543 (CVSS score: 10.0), which is a case of sandbox escape in the Lua scripting engine that could be exploited to gain remote code execution.

The malware, which has yet to be detected by VirusTotal antivirus engines, was written in Golang and was intended to target Redis servers in order for the attacking server to gain control of the compromised machine.

Despite the fact that it was discovered and corrected in February, the attacks involve deploying Redigo while exploiting a critical security vulnerability in the open source, in-memory key-value store that was disclosed earlier this year. Meanwhile, attackers continued to use it on unpatched machines months after the fix was released, as proof-of-concept exploit code became public.

Attacks with Redigo begin with port 6379 scans to find exposed Redis instances, which are then followed by the execution of several commands such as the INFO command, which allows adversaries to receive information about our Redis server, and the SLAVEOF command, which allows threat actors to create a replica of the attacking server and later assist them in downloading the shared object, allowing for the vulnerability to be exploited.

There is also the REPLCONF command, which configures a connection from the master (the attacking server) to the newly created replica, and the PSYNC command, which the new replica runs and initiates a replication stream from the master to keep the replica updated and allow the master to send a stream of commands. The MODULE LOAD command enables the runtime loading of a module from the dynamic library downloaded at stage 4. Finally, the SLAVEOF NO ONE command disables replication and turns the vulnerable Redis server into a master.

Prior to Redigo download and execution, the backdoor collects host hardware information using its command execution capabilities. While Redigo’s processes after gaining a foothold in the environment are unknown due to attack duration limits in Aquasec honeypots, Aquasec researchers believe that vulnerable servers may be added by the malware as a bot for distributed denial-of-service attacks and cryptocurrency mining attacks.

According to the researchers, attackers could also use the malware to facilitate Redis data theft.

The sources for this piece includes an article in Bleepingcomputer.

New Go-based malware target vulnerable Redis servers
Article Name
New Go-based malware target vulnerable Redis servers
Aqua Nautilus, a cloud security firm, discovered new Go-based malware that targets Redis (remote dictionary server).
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023