The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal.
The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security company Akamai.
“The attackers have taken a step forward by employing private crypto-mining pools for greater control over mining outcomes despite the increased operational and financial costs,” security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik said in a technical report shared with The Hacker News.
The infection sequence discovered by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS score: 10.0) that could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A successful exploitation is followed by the execution of commands designed to retrieve and run a bash shell script from an external domain that, in turn, is responsible for downloading the RedTail payload based on the CPU architecture.
Other propagation mechanisms for RedTail involve the exploitation of known security flaws in TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).
RedTail was first documented by security researcher Patryk Machowiak in January 2024 in relation to a campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based systems.
Then in March 2024, Barracuda Networks disclosed details of cyber attacks exploiting flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install Mirai botnet variants as well as shortcomings in ThinkPHP to deploy RedTail.
The latest version of the miner detected in April packs in significant updates in that it includes an encrypted mining configuration that’s used to launch the embedded XMRig miner.
Another notable change is the absence of a cryptocurrency wallet, indicating that the threat actors may have switched to a private mining pool or a pool proxy to reap financial benefits.
“The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of crypto-mining,” the researchers said.
“Unlike the previous RedTail variant reported in early 2024, this malware employs advanced evasion and persistence techniques. It forks itself multiple times to hinder analysis by debugging its process and kills any instance of [GNU Debugger] it finds.”
Akamai described RedTail as having a high level of polish, an aspect not commonly observed among cryptocurrency miner malware families out there in the wild.
Exactly who is behind the cryptocurrency mining malware is currently not clear, although the use of private crypto-mining pools mirrors a tactic used by the North Korea-linked Lazarus Group, which has a history of orchestrating wide-ranging cyber attacks for financial gain, the company noted.
“The investments required to run a private crypto-mining operation are significant, including staffing, infrastructure, and obfuscation,” the researchers concluded. “This sophistication may be indicative of a nation-state-sponsored attack group.”
