New Go-Based Redigo Malware Targets Redis Servers

Redigo is a new Go-based malware designed to attack Redis servers affected by the CVE-2022-0543 vulnerability.

Researchers from security firm AquaSec have discovered a new Go-based malware used in campaigns targeting Redis servers. Threat actors are exploiting a critical vulnerability in the Redis (Remote Dictionary Server) server, tracked as CVE-2022-0543.

Redis (Remote Dictionary Server) is an open source in-memory database and cache.

The CVE-2022-0543 flaw is a Lua sandbox escape flaw affecting Debian and Debian-derived Linux distributions. The vulnerability, rated 10 out of 10 for severity, could allow a remote attacker to execute arbitrary Lua scripts to evade the Lua sandbox and execute arbitrary code on the underlying computer. Juniper Threat Labs researchers report observing the Muhstik botnet targeting Redis servers exploiting the CVE-2022-0543 vulnerability.

In March 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its catalog of known exploits.

The flaw was fixed in February 2022, but threat actors continue to exploit it in the wild now that the proof-of-concept exploit code has become public.

The attack chain begins by scanning for a Redis server that exposes port 6379 to the internet, the threat actor then attempts to connect and run the following Redis command:

  1. information command – This command allows an adversary to receive information about our Redis server. In the data they received, they now know which version of the server is vulnerable to CVE-2022-0543 (as we explained earlier, the honeypot was deliberately built to exploit this vulnerability). This information gives adversaries the approval they need to be able to exploit the vulnerability and allows them to begin preparing the surface for exploiting it.
  2. SLAVEOF command – This allows an adversary to create a copy of the attacking server. This action would later help them download a share object that would allow the vulnerability to be exploited.
  3. REPLCCONF command – This command is used to configure the connection from the master server (attack server) to the replica just created.
  4. PSYNC command – The new replica runs this command and starts the replication stream from the master. This connection keeps replicas updated and allows the master to send command streams. The attack server, defined as master, uses this connection to download the shared library exp_lin.so to the replica’s disk. Furthermore, this connection can be used by an adversary as a backdoor, in case of interruption during the connection, the replica will reconnect and try to get the part of the command stream that was lost during the disconnection.
  5. module load command – This allows modules to be loaded at runtime from the dynamic library downloaded in stage 4. This library allows exploiting the vulnerability and running arbitrary commands afterwards.
  6. SLAVEOF NO ONE command – This turns off replication and turns the vulnerable Redis server into a master.

The attacker loads the library file exp_lin.so and executes the exploit code of the above vulnerability. This file contains the implementation of the command system.exec, allowing an attacker to execute arbitrary commands and launch attacks.

“The first use of the command was to receive information about the CPU architecture. The second use of the command was to download newly discovered malware from the attack server Redigo. After downloading the malware file, the attackers elevated the file’s execute privileges , and execute it (see below for malware investigations.) Read the analysis published by AquaSec.

Threat actors simulate Redis communication over port 6379 to evade detection.

AquaSec researchers believe that threat actors are using the Redigo malware to infect Redis and add it to botnets used to launch denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal data from servers.

The researchers also provided Indicators of Compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Redis)




Leave a Reply

Your email address will not be published. Required fields are marked *