The menace actors behind the RedTail cryptocurrency mining malware have added a just lately disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal.
The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis methods, in accordance with findings from internet infrastructure and security firm Akamai.
“The attackers have taken a step ahead by using personal crypto-mining swimming pools for higher management over mining outcomes regardless of the elevated operational and monetary prices,” security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik mentioned in a technical report shared with The Hacker Information.
The an infection sequence found by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS rating: 10.0) that might enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A profitable exploitation is adopted by the execution of instructions designed to retrieve and run a bash shell script from an exterior area that, in flip, is liable for downloading the RedTail payload primarily based on the CPU structure.
Different propagation mechanisms for RedTail contain the exploitation of recognized security flaws in TP-Hyperlink routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Join Safe (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Entry and Id Supervisor (CVE-2022-22954).
RedTail was first documented by security researcher Patryk Machowiak in January 2024 in relation to a marketing campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based techniques.
Then in March 2024, Barracuda Networks disclosed particulars of cyber assaults exploiting flaws in SonicWall (CVE-2019-7481) and Visible Instruments DVR (CVE-2021-42071) to put in Mirai botnet variants in addition to shortcomings in ThinkPHP to deploy RedTail.
The newest model of the miner detected in April packs in vital updates in that it consists of an encrypted mining configuration that is used to launch the embedded XMRig miner.
One other notable change is the absence of a cryptocurrency pockets, indicating that the menace actors could have switched to a personal mining pool or a pool proxy to reap monetary advantages.
“The configuration additionally reveals that the menace actors try to optimize the mining operation as a lot as potential, indicating a deep understanding of crypto-mining,” the researchers mentioned.
“Not like the earlier RedTail variant reported in early 2024, this malware employs superior evasion and persistence methods. It forks itself a number of instances to hinder evaluation by debugging its course of and kills any occasion of [GNU Debugger] it finds.”
Akamai described RedTail as having a excessive degree of polish, a side not generally noticed amongst cryptocurrency miner malware households on the market within the wild.
“The investments required to run a personal crypto-mining operation are vital, together with staffing, infrastructure, and obfuscation,” the researchers concluded. “This sophistication could also be indicative of a nation-state-sponsored assault group.”
