Analysis
On 1st December 2022, a cloud-native security company Aqua Security published a blog on Redigo malware.
The Nautilus research team from Aqua security identified the exploitation and deployment of malware in the Redis server. The team had observed this activity from their honeypot which is vulnerable to the vulnerability CVE-2022-0543. The malware was named after the server's name (Redis server), and the language (Golang), based on which the malware was developed.
It was identified that the threat actor initially looks for the Redis server using the scanners and botnets, after identifying the vulnerable server the threat actor executes multiple commands to collect information about the server, then loads a library file exp_lin.so used to exploit the vulnerability, then it downloads Redigo malware: redis-1.2-SNAPSHOT from the server hosted by threat, it establishes command and control communication to the attacker server.
Prevention
- Use Antivirus or EDR in all endpoints.
- Harden the server to prevent running undesired Redis commands such as slaveof.
- Patch the vulnerabilities regularly associated with the Software and Hardware in the infrastructure.
Detection
Create rules based on known indicators of threat groups in the SIEM (Security incident event management) tool for the detection of threat activity.
Indicators of Compromise (IOCs)
IP: 45.41.240.51
| File Name | Type | MD5 |
| redis-1.2-SNAPSHOT | Binary | a755eeede56cbce460138464bf79cacd |
| exp_lin.so | Binary | c3b9216936e2ed95dcf7bb7976455859 |
References
Aqua Blog
