redigo-malware

Analysis

On 1st December 2022, a cloud-native security company Aqua Security published a blog on Redigo malware.

The Nautilus research team from Aqua security identified the exploitation and deployment of malware in the Redis server. The team had observed this activity from their honeypot which is vulnerable to the vulnerability CVE-2022-0543. The malware was named after the server's name (Redis server), and the language (Golang), based on which the malware was developed.

It was identified that the threat actor initially looks for the Redis server using the scanners and botnets, after identifying the vulnerable server the threat actor executes multiple commands to collect information about the server, then loads a library file exp_lin.so used to exploit the vulnerability, then it downloads Redigo malware: redis-1.2-SNAPSHOT from the server hosted by threat, it establishes command and control communication to the attacker server.

Prevention

  • Use Antivirus or EDR in all endpoints.
  • Harden the server to prevent running undesired Redis commands such as slaveof.
  • Patch the vulnerabilities regularly associated with the Software and Hardware in the infrastructure.

Detection

Create rules based on known indicators of threat groups in the SIEM (Security incident event management) tool for the detection of threat activity.

Indicators of Compromise (IOCs)

IP: 45.41.240.51

File Name Type  MD5
redis-1.2-SNAPSHOT Binary  a755eeede56cbce460138464bf79cacd
exp_lin.so  Binary c3b9216936e2ed95dcf7bb7976455859

 

References

Aqua Blog

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now