Hackers Exploit Bug in Redis Servers To Drop New Backdoor Malware “Redigo”

Researchers uncovered a brand unruffled backdoor malware dubbed “Redigo” written in Amble -Language, which targets the Redis servers and drops a backdoor to compose full control of the servers.

Redigo Malware became as soon as uncovered by technique of vulnerable Redis honeypots where the attackers strive and exploit the Redis vulnerability(CVE-2022-0543).

Redis (distant dictionary server) is an delivery-provide in-memory database and cache in accordance to a Unix-admire operating system. Redis supports an excellent deal of forms of summary recordsdata constructions, equivalent to strings, lists, maps, objects, and sorted objects.

“Our investigation published unruffled undetected malware written in Golang designed to house Redis servers to allow the attacking server to dominate the compromised machine” researchers from Aqua reported.

Redis architecture combined Redis purchasers and servers whereby servers address diversified operations equivalent to storing recordsdata in memory and handling management processes.

Also, the server has a constructed-in Lua scripting engine that permits users to upload and compose Lua scripts straight on the server which helps users to effectively build the technique learn and writing recordsdata from scripts.

A vulnerability CVE-2022-0543 that became as soon as uncovered in Lua scripting engine enables threat actors to build this attack on Redis server and drops the Redigo malware and compose server access.

Redigo Malware An infection Path of

At some level of the initial stage of this attack, Threat actors build a mass scan the usage of scanners or a botnet to safe the vulnerable Redis servers that delivery to the internet on TCP port 6379.

To evade the detection, attackers notice a technique that, a seemingly reliable communication of Redis that simulates communication between Redis clusters the usage of port 6379, which helps them to switch the commands to the vulnerable server.

As a result, Redigo is a brand unruffled Redis backdoor malware it stays undetected in Virus Total by all vendors at some stage within the investigation.

Researchers from Aqua intercept the communication between the vulnerable Redis server and the attacking server managed by the threat actors and situated diverse commands of following that had been archaic as segment of this attack.

• INFO repeat -A repeat that permits adversaries to web recordsdata about our Redis server.
• SLAVEOF repeat –A repeat that permits adversaries to web a reproduction of the attacking server.
• REPLCONF repeat – Configure the connection between the Master server and the replica server.
• PSYNC repeat – the unruffled replica runs this repeat and initiates a replication circulate from the master.
• MODULE LOAD repeat – To Load dynamic library module enables for exploitation of the vulnerability and runs arbitrary commands later.
• SLAVEOF NO ONE repeat – this turns off the replication and converts the vulnerable Redis server into a master.

The library file exp_lin.so which we’ve got got considered within the above-captured communication is responsible to executes the code which exploits the vulnerability that became as soon as deliberately left in our honeypot server.

Researchers uncovered a file that contains the repeat “system.exec” which enables the attacker to compose an arbitrary repeat and provoke their attack.

“The repeat became as soon as archaic for 2 an excellent deal of functions, the first one is activated to web recordsdata in regards to the CPU architecture, and the second time became as soon as archaic to download the newly found Redigo malware from the attacking server and never without prolong elevate the permissions of the file to compose on the server.” Aqua researchers detailed within the document shared with GBHackers.

Also dropped malware mimics the Redis server communication which enables the attackers to cloak communications between the centered host and the C2 server.

Researchers are unclear in regards to the rotund scope of the impact, though the pattern of this attack lets add a centered host to a fleshy botnet which in most cases technique that the compromised server will take a segment in a Distributed Denial of Carrier (DDoS).