New RedTail Malware Exploited Via PHP Security Vulnerability
RedTail is a sophisticated malware designed for unauthorized cryptocurrency mining with a focus on Monero. It was first identified in January 2024, but it has been circulating since at least December 2023. Its latest iterations show improvements in evasion and persistence mechanisms, underscoring the significant expertise and resources driving its development.
The malware was previously delivered by exploiting several vulnerabilities, including those affecting ThinkPHP (CVE-2018-20062), Log4j (CVE-2021-44228), VMWare Workspace ONE (CVE-2022-22954), TP-Link routers (CVE-2023-1389), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887) and PAN-OS (CVE-2024-3400).
Here, we analyze a recent campaign we observed delivering newer versions of RedTail via exploits of CVE-2024-4577 — a critical security vulnerability in PHP servers.
The RedTail malware shows the sophistication of modern cyber threats by using multiple attack vectors to infiltrate and compromise systems.
RedTail gains initial access to targeted environments often through content management systems or plugins running on vulnerable PHP servers. Once inside, it leverages a multifaceted approach: deploying a malicious SSH agent to steal SSH credentials, using XMRig for covert cryptocurrency mining, and maintaining stealth through encrypted JSON-RPC communications with a mining pool. This combination of tactics facilitates financial gain through illicit mining operations and poses significant risks to data integrity and system availability.
PHP Security Vulnerability: CVE-2024-4577 Exploits
CVE-2024-4577 (CVSSv3.1 score 9.8) allows remote code execution via the PHP CGI component and is actively being exploited in the wild. The widespread use of PHP coupled with the ease of exploitation mean that this vulnerability poses significant risk. Threat actors can bypass PHP CGI mode by sending a specially crafted POST request to a server configured with Japanese and Chinese locales.
Between June 7 and June 21, we recorded 227 attempts to exploit CVE-2024-4577 on Forescout’s Adversary Engagement Environment (AEE) from the following IP addresses:
- 178.86[.]206 on June 7
- 143.1[.]88 on June 7, 10 and 11
- 41.10[.]197 on June 9
- 104.52[.]79, 58.220.109[.]154 and 183.56.201[.]169 on June 12
- 239.54[.]49 on June 13
- 98.11[.]82 on June 14, June 17 and June 21
- 128.232[.]200 on June 18
- 230.15[.]18 on June 21
The image below shows additional information about the observed IPs in the past 90 days, including their activity over time on the AEE and their countries of origin. In this timeframe, two of these IPs (45.128.232[.]200 and 141.98.11[.]82) were seeing distributing webshells and one of them (45.128.232[.]200) Mirai botnets.
In our most recent observations of CVE-2024-4577 exploitation, we noticed a rise in attempts to execute commands that download and run bash scripts. In particular, we observed 30 crafted POST requests between June 14 and June 21 – all coming from 141.98.11[.]82 – with the following details:
The command shown above downloads a bash script from “http://183.172.128[.]93/sh” onto targeted devices with the intention of executing the RedTail malware. We successfully acquired both the script and a sample of the malware for further analysis.
Shell Script Analysis
The downloaded shell script begins by creating and entering a directory named after the current username within the temporary directory, or any folder in opt. The script then connects to a server via HTTP and uses wget to download the RedTail malware into the newly created directory.
Since RedTail is designed to target Linux-based systems across four different architectures (x86_64, i686, arm7 and arm8), the script evaluates the system architecture to determine the appropriate file version using the command uname -mp.
After selecting the correct architecture, the script copies the corresponding file to a hidden file named .redtailwithin the same directory and then executes it. Following this, the script cleans up by removing all versions of the malware files from the directory using the command rm -rf redtail.*.
Finally, the script sets up a cron job to enable the execution of malware from the hidden file, granting root-level access for malicious activities. This sophisticated setup allows for automated and stealthy deployment of payloads, ensuring persistence and remote-control capabilities.
RedTail Malware Analysis
The initial stage of RedTail is contained within an ELF binary file packed with UPX. After unpacking and analyzing the binary, we identified numerous functions within its code. We will delve into some of these functions to understand the specific actions and intentions of the malware.
- Gather system information. RedTail gathers extensive system information, including operating system version, architecture, and build number, as well as user information such as username and account type. The malware also retrieves hardware specifications, including CPU, RAM, and storage details, as well as network information such as IP addresses, MAC addresses, and network configuration.
- Configure XMRig. After infection, RedTail uses XMRig to exploit the system’s processing power to mine Monero. This process involves running the mining software in the background, usually without the user’s knowledge, which can significantly slow down the infected machine and increase its power consumption. The mined cryptocurrency is then sent to wallets controlled by the attackers, providing them with financial gains at the expense of the compromised system’s performance and the victim’s resources.
- Persist. To ensure that the malware remains active even after a system reboot, it establishes a persistent presence by configuring a cron job within the user’s crontab. This scheduled task automatically triggers the malware whenever the system starts up, allowing it to resume its malicious activities without requiring user intervention.
- Steal credentials. RedTail drops a malicious version of ssh-agent on infected systems. This modified ssh-agent is used to hijack and steal SSH credentials, allowing the attackers to gain unauthorized access to other systems and servers. By mimicking the legitimate ssh-agent process, the malware can intercept SSH keys and passphrases entered by the user, effectively compromising the security of SSH communications. Once deployed, the malicious ssh-agent runs in the background, silently capturing SSH authentication details. These stolen credentials are sent back to the attackers’ C2 server in encrypted format and can then be used by the attackers to move laterally within the network, escalate privileges, and execute further malicious activities.
- Command and control. The malware reaches out to a command-and-control (C2) server controlled by the attackers. Upon establishing contact with the C2 server, the malware downloads configuration settings, which may include instructions for further actions, such as targeting further specific systems within the network, updating the malware itself, or deploying additional payloads. This remote configuration capability enables the attackers to modify the malware’s behavior in real-time, tailoring its activities to the specific environment it has infiltrated.
- Cryptocurrency mining. Once RedTail has successfully established its presence and gathered the necessary configuration data from the attacker server, it initiates its primary malicious activity: mining Monero cryptocurrency. The malware uses JSON-RPC for network communication with the mining pool. Once the session key is established, subsequent communications are encrypted using a symmetric encryption algorithm (e.g: AES).
Detection
Forescout TDR rules CY-IR-1841 and CY-DR-0089: Emerging Threats: Possible PHP CGI Argument Injection Vulnerability Exploitation Detected (CVE-2024-4577) found this exploitation of PHP in CGI mode.
Mitigation
Patching PHP servers – as well as other vulnerable devices, services and applications – is essential for minimizing risk. In addition to patching, implementing security best practices, such as network segmentation and access control can prevent the spread of infections. Continuous network monitoring aids in the automatic detection and response to ongoing infections.
TTPs
| Tactic | Technique | Procedure description |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | Exploit CVE-2024-4577. |
| Credential Access | OS Credential Dumping | Extract SSH keys and passphrases from compromised systems using the malicious ssh-agent. |
| Command and Control | Encrypted Channel | Establish encrypted communication channels between compromised systems and C2 servers for remote command execution and data exfiltration. |
| Impact | Resource Hijacking | Use XMRig to exploit system resources (CPU/GPU) for Monero cryptocurrency mining without user consent. |
| Exfiltration | Exfiltration Over C2 Channel | Steal sensitive information or mined cryptocurrency from compromised systems and transfer it to attacker-controlled servers. |
| Defense Evasion | File Deletion | Delete critical files or logs on compromised systems to cover tracks and hinder forensic investigation. |
| Lateral Movement | Remote Service Session Hijacking | Take control of SSH sessions with the malicious SSH agent. |
IoCs
| Indicator | Type | Description |
|---|---|---|
| 2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb | SHA256 | Malicious shell script |
| ed8fe6eb98c8a487c631dee11ddbe11c322e446666280f7b97844d259fdb10f5 | SHA256 | Malicious shell script |
| ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd | SHA256 | Redtail packed ELF |
| 9ffad174474bb65e574baa567b23ffc1e13359fe2749b02fc8fc7846caceff7a | SHA256 | Redtail unpacked ELF |
| 39.104.52[.]79 45.128.232[.]200 58.220.109[.]154 84.239.54[.]49 95.178.86[.]206 103.230.15[.]18 141.98.11[.]82 183.56.201[.]169 193.143.1[.]88 196.41.10[.]197 |
IP Address | Addresses observed trying to exploit CVE-2024-4577 |
| 183.172.128[.]93 | IP Address | Downloader |
| 93.123.39[.]174 194.59.30[.]110 |
IP Address | C2 servers |
Learn more about the Forescout TDR solution.