Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.
“Underpinning this campaign was the use of transfer[.]sh,” Cado Security said in a report shared with The Hacker News. “It’s possible that it’s an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com).”
The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads.
The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh.
The payload is a script that paves the way for an XMRig cryptocurrency miner, but not before taking preparatory steps to free up memory, terminate competing miners, and install a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection.
“Although it is clear that the objective of this campaign is to hijack system resources for mining cryptocurrency, infection by this malware could have unintended effects,” the company said. “Reckless configuration of Linux memory management systems could quite easily result in corruption of data or the loss of system availability.”
The development makes it the latest threat to strike Redis servers after Redigo and HeadCrab in recent months.
The findings also come as Avertium disclosed a new set of attacks in which SSH servers are brute-forced to deploy the XorDdos botnet malware on compromised servers with the goal of launching distributed denial-of-service (DDoS) attacks against targets located in China and the U.S.
The cybersecurity company said it observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October 6, 2022, and December 7, 2022. It attributed the activity to a threat actor based in China.
42% of those attempts originated from 49 IP addresses assigned to ChinaNet Jiangsu Province Network, with the rest emanating from 8,000 IP addresses scattered all over the world.
“It was found that once the scanning identified an open port, it would be subject to a brute-force attack against the ‘root’ account using a list of approximately 17,000 passwords,” Avertium said. “Once the brute-force attack was successful, a XorDDoS bot was installed.”