Unveiling Redtail: A Deep Dive into Cryptocurrency Mining Malware

Summary of Honeypot Observations

During this period, Redtail was executed four times by three different threat actors. Notable IP addresses involved in these incidents include 5.182.211.148, 94.103.125.37, and 87.120.113.231.

Malware Overview

Redtail is an adaptable malware capable of running on various CPU architectures. Its flexibility allows it to target a wide range of systems. In April 2024, a new variant exploited a critical vulnerability in Palo Alto Networks' PAN-OS (CVE-2024-3400). This vulnerability enables attackers to create files that can execute commands with root privileges.

Malware Features

Redtail has several notable features:

1. Multi-Architecture Compatibility: Operates on ARM7, ARM8, i686, and x86_64.

2. Evolutionary Capability: Frequently updated with new exploits.

3. Persistence Mechanisms: Creates backdoors via SSH keys.

Attack Analysis

Initial Observation

The first attack occurred on 15 October 2024 at 00:47:54 UTC. The attacker, using IP 5.182.211.148, connected to the honeypot using weak credentials ("root/nimda") and probed port TCP/2222 before uploading several files, including clean.sh, redtail.arm7, redtail.arm8, redtail.i686, redtail.x86_64, and setup.sh.

After gaining access, the attacker:

1. Made clean.sh executable and ran it to remove competing software and malicious tasks.

2. Deleted clean.sh using rm -rf.

3. Executed similar steps with setup.sh to install Redtail.

4. Added an SSH public key for persistent access.

Further Attempts

Between 15 October and 11 November 2024, three additional attacks were observed. These incidents involved IP addresses from the Netherlands and Bulgaria, with similar file hashes and timestamps.

In November 2024, a technology firm, fell victim to the Redtail malware. The infection was traced back to a compromised server running an outdated version of PAN-OS, which had not been patched for the CVE-2024-3400 vulnerability. The attackers exploited this vulnerability to gain root access, deploy Redtail, and establish persistent access via SSH keys. This incident underscores the importance of timely patch management and robust security practices to defend against sophisticated threats like Redtail.

Defensive Measures

System Hardening

1. Patch Management: Regular updates to address vulnerabilities like CVE-2024-3400.
2. Endpoint Security: Deploy advanced antimalware solutions.
3. Vulnerability Scanning: Perform regular scans for exposed systems.
4. Access Control: Disable root logins to prevent attackers from exploiting weak root credentials. Use SSH keys to strengthen authentication and enable Fail2ban to detect and block suspicious login attempts.

Network Defence

1. Port Management: Block unused ports to prevent exploitation.
2. Centralised Log Monitoring: Use SIEM systems to detect and respond to threats effectively.

Network Defence Tools

1. SIEM: Monitors and analyses logs to detect anomalies.
2. Firewall Rules: Restricts access to critical services.
3. IDS/IPS: Identifies and blocks malicious traffic.

Conclusion

Redtail malware exemplifies the sophistication of modern cryptomining threats, utilising advanced tactics to persist and exploit systems. Protecting against such threats requires a layered defence strategy, including system patching, strong authentication, network monitoring, and centralised logging. Adopting these measures will help mitigate the risks posed by evolving cyber threats.