The menace actors behind the RedTail cryptocurrency mining malware have added a lately disclosed safety flaw impacting Palo Alto Networks firewalls to its exploit arsenal.
The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis strategies, in response to findings from net infrastructure and safety firm Akamai.
“The attackers have taken a step ahead by using non-public crypto-mining swimming pools for larger management over mining outcomes regardless of the elevated operational and monetary prices,” safety researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik stated in a technical report shared with The Hacker Information.
The an infection sequence found by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS rating: 10.0) that would permit an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A profitable exploitation is adopted by the execution of instructions designed to retrieve and run a bash shell script from an exterior area that, in flip, is answerable for downloading the RedTail payload based mostly on the CPU structure.
Different propagation mechanisms for RedTail contain the exploitation of identified safety flaws in TP-Hyperlink routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Join Safe (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Entry and Id Supervisor (CVE-2022-22954).
RedTail was first documented by safety researcher Patryk Machowiak in January 2024 in relation to a marketing campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based techniques.
Then in March 2024, Barracuda Networks disclosed particulars of cyber assaults exploiting flaws in SonicWall (CVE-2019-7481) and Visible Instruments DVR (CVE-2021-42071) to put in Mirai botnet variants in addition to shortcomings in ThinkPHP to deploy RedTail.
The newest model of the miner detected in April packs in vital updates in that it contains an encrypted mining configuration that is used to launch the embedded XMRig miner.
One other notable change is the absence of a cryptocurrency pockets, indicating that the menace actors could have switched to a non-public mining pool or a pool proxy to reap monetary advantages.
“The configuration additionally reveals that the menace actors try to optimize the mining operation as a lot as potential, indicating a deep understanding of crypto-mining,” the researchers stated.
“In contrast to the earlier RedTail variant reported in early 2024, this malware employs superior evasion and persistence strategies. It forks itself a number of instances to hinder evaluation by debugging its course of and kills any occasion of [GNU Debugger] it finds.”
Akamai described RedTail as having a excessive stage of polish, a side not generally noticed amongst cryptocurrency miner malware households on the market within the wild.
“The investments required to run a personal crypto-mining operation are vital, together with staffing, infrastructure, and obfuscation,” the researchers concluded. “This sophistication could also be indicative of a nation-state-sponsored assault group.”