Pierluigi Paganini December 01, 2022

Redigo is a new Go-based malware employed in attacks against Redis servers affected by the CVE-2022-0543 vulnerability.

Researchers from security firm AquaSec discovered a new Go-based malware that is used in a campaign targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis (Remote Dictionary Server) servers.

Redis (remote dictionary server) is an open source in-memory database and cache.

The CVE-2022-0543 flaw is a Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions. The vulnerability, which was rated 10 out of 10 for severity, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine. Juniper Threat Labs researchers reported that the Muhstik botnet has been observed targeting Redis servers exploiting the CVE-2022-0543 vulnerability.

In March 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities Catalog.

The flaw has been fixed in February 2022, but threat actors continue to exploit it in attacks in the wild due to the public availability of a proof-of-concept exploit code.

The attack chain starts with scans for the Redis server exposing port 6379 to the internet, then threat actors attempt to connect and run the following Redis commands:

1. INFO command – this command allows adversaries to receive information about our Redis server. Among the data they receive, they now know which server’s version is vulnerable to CVE-2022-0543 (As we explained earlier, the honeypot was built with this vulnerability on purpose). This information provides adversaries with the approval they would need to be able to exploit the vulnerability and allow them to start preparing the surface to exploit it.
2. SLAVEOF command – this allows adversaries to create a replica of the attacking server. This action will later help them download the shared object allowing for the exploitation of the vulnerability.
3. REPLCONF command – this command is used in order to configure a connection from the master (the attacking server) to the replica that just was created.
4. PSYNC command – the new replica runs this command and initiates a replication stream from the master. This connection keeps the replica updated and allows the master to send a stream of commands. The attacking server that is defined as the master uses this connection to download the shared library exp_lin.so to the disk of the replica. Furthermore, this connection can use the adversaries as a backdoor, where in case of interrupts during the connection the replica is reconnects and tries to obtain the part of the stream of commands it missed during the disconnection.
5. MODULE LOAD command – this allows for the loading of a module from the dynamic library downloaded at stage 4 at runtime. This library allows for exploitation of the vulnerability and runs arbitrary commands later.
6. SLAVEOF NO ONE command – this turns off the replication and converts the vulnerable Redis server into a master.

Attackers loads the library file exp_lin.so and executes the exploit code for the above flaw. The file contains the implementation of the command system.exec which allows the attackers to execute an arbitrary command and launch the attack.

“The first use of the command is activated to receive information about the CPU architecture. The second use of the command is done to download the newly discovered malware from the attacking server – Redigo. After downloading the malware file, the attackers elevate the permissions of the file to execute, and execute it (for malware investigation read below).” reads the analysis published by AquaSec.

Threat actors simulate Redis communication over port 6379 to evade detection.

AquaSec researchers believe that threat actors are using the Redigo malware to infect Redis and add them to a botnet used to launch denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal data from the servers.

The researchers also provided Indicators of Compromise (IOCs) for this threa.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Redis)

[adrotate banner=”5″]

[adrotate banner=”13″]