RedTail: Crypto-mining malware attacks Palo Alto

The cyber criminals behind the cryptomining malware known as RedTail they added a security vulnerability recently disclosed that impacts Palo Alto Networks’ firewalls to their arsenal of exploits.

The addition of the PAN-OS vulnerability to their toolkit has been accompanied by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security firm Akamai.

What cybersecurity experts say about RedTail malware

“Attackers have gone one step further by employing private cryptomining pools for greater control over mining results despite higher operational and financial costs“said security researchers Ryan Barnett, Stiv Kupchik and Maxim Zavodchik in their relationship technical shared on various IT security publications.

The infection sequence discovered by Akamai exploits a now fixed vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS score: 10.0, i.e. maximum achievable vulnerability score) which could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Crypto-mining malware works based on CPU architecture

A successful execution is followed by the execution of commands designed to retrieve and execute a bash shell script from an external domain which, in turn, is responsible for downloading the RedTail payload based on the CPU architecture.

Other propagation mechanisms for RedTail involve the exploitation of known security vulnerabilities in TP-Link (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805, and CVE-2024- 21887) and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).

The first time RedTail got “caught”

RedTail was documented first reported by security researcher Patryk Mahowiak in January 2024 in connection with a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to distribute malware on Unix-based systems.

Subsequently, in March 2024, Barracuda Networks has disclosed details on cyberattacks that exploited flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install variants of the Mirai botnet, as well as shortcomings in ThinkPHP to deploy RedTail.

The latest version of the miner spotted in April includes updates significant as it includes an encrypted mining setup used to launch the embedded XMRig miner.

Another notable change is the absence of a cryptocurrency wallet, indicating that the cybercriminals created the malware they might have moved on to a private mining pool or to a pool proxy to derive financial benefitsthe.

The curious attack techniques used by this malware

“The setup also shows that cybercriminals are trying to optimize the mining operation as much as possible, indicating a deep understanding of cryptomining“ said the researchers, who later added: “Unlike the previous RedTail variant reported in early 2024, This malware employs advanced evasion and persistence techniques. It forks multiple times to hinder analysis by debugging its process and kills any instance of [GNU Debugger] that he finds.”

Akamai described RedTail as having a high level of sophistication, something not commonly observed among cryptominer malware families out there.

“The investments needed to run a private cryptomining operation are significant, including staff, infrastructure, and obfuscation“, concluded the researchers. “This sophistication could be indicative of a state- or nation-sponsored attack group.“

Cases similar to RedTail have occurred in the past

There have been numerous similar cases in the past of cryptocurrency mining malware exploiting security vulnerabilities; below are some:

1. LemonDuck and LemonCat: These malware, active since 2019, exploit vulnerabilities on Windows and Linux devices to mine cryptocurrencies such as Monero; LemonDuck and LemonCat use similar structures to spread, often through exploits of known vulnerabilities and credential-stealing tools like Mimikatz​
2. Panda Group: This cybercriminal group is known to use remote access tools (RATs) and malware for cryptocurrency mining; they exploited vulnerabilities in web applications and servers such as WebLogic and Apache Struts to spread their malware. Panda has been involved in several mining campaigns, constantly updating their infrastructure and exploits used.
3. Attacks on cloud platforms: Trend Micro researchers observed targeted attacks on cryptocurrency mining cloud platforms; Cybercriminals have been exploiting vulnerabilities in cloud services to compromise large numbers of connected machines, using the scalability of the cloud to make CPU-based (rather than graphics card-based) mining profitable
4. Monero Mining through GitHub and Netlify: Attacks observed in 2021 exploited vulnerabilities in software such as Atlassian Confluence, F5 BIG-IP, VMware vCenter, and Apache HTTP Server; Attackers used GitHub and Netlify as repositories for mining tools, hosting malicious scripts to download and execute the malware on compromised systems.

These examples demonstrate how cybercriminals continue to evolve, exploiting new vulnerabilities and updating their tools to keep cryptocurrency mining operations profitable.