Security researchers at Imperva have come across a new cryptojacking worm that infects Redis and Windows servers with cryptomining malware.
The attack, which has been dubbed RedisWannaMine by researchers from security firm Imperva, scans for misconfigured Redis deployments and Windows Servers that are still vulnerable to the Eternal Blue SMB exploit.
While investigating an attack against a web server that attempted to exploit the CVE-2017-9805 vulnerability in Apache Struts, the Imperva researchers located a command-and-control server hosting multiple attack scripts. One of those scripts was a new cryptomining downloader that exhibited worm-like behavior.
When executed, the script attempts to install a variety of packages through apt-get or yum—depending on the Linux distribution—creates entries in crontab for persistence and adds a new authorized SSH key for authentication. It then proceeds to download a tool called masscan from GitHub and compiles it.
Masscan is a high-performance TCP port scanner and is used by RedisWannaMine to scan external and internal IP addresses for Redis deployments. Redis is an in-memory data store that can be used as a database, cache or message broker. It is usually deployed on internal networks, but thousands of such servers have been found exposed on the internet in the past. The project page of Masscan describes it as “TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.”
When an unprotected Redis server is discovered, the script installs cryptomining malware on it and creates crontab entries for persistence. The script then launches another scan, this time for Windows Servers that accept SMB connections.
The goal of the second scan is to find servers that are vulnerable to the Eternal Blue SMB exploit used by WannaCry, NotPetya and other malware attacks over the past year. When such a servers are identified, the script downloads and installs a different cryptomining component for Windows.
Compared to past cryptojacking attacks that primarily target servers available on the internet, RedisWannaMine also spreads laterally through local networks, making it much more dangerous to companies.
The malware “is more complex in terms of evasion techniques and capabilities,” the Imperva researchers said in a report. “It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets. In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!”