[This is a Guest Diary by Cody Hales, an ISC intern as part of the SANS.edu BACS program]

Introduction

From August to November 2024, my honeypot has captured a wide array of malicious content. In this analysis, I will focus on a specific strain of malware called redtail and the scripts that enable its execution. redtail is a cryptocurrency mining malware (coin miner) that stealthily installs itself on compromised systems, exploiting the host’s resources for unauthorized cryptocurrency mining to benefit the threat actor. I have observed this malware being executed on my honeypot 4 times by 3 different threat actors.

To execute successfully, redtail utilizes two extra scripts: one script identifies the CPU architecture of the victim system, ensuring compatibility for the malware, and a second script removes any other cryptomining software that may already exist on the compromised system. This dual approach highlights the advanced tactics employed by threat actors to maintain persistence and evade detection.

Using a combination of modern threat intelligence feeds and my own observations, I will shed light on the tactics employed by the threat actors behind these attacks and examine the sophisticated features of coin mining malware currently active. Additionally, I will discuss the broader implications of this analysis, why it is relevant, and how to prevent or mitigate the threat.

Description of the Subject

redtail is a particularly dangerous piece of malware due to its ability to run on multiple CPU architectures as well as its ability to continuously evolve, significantly broadening the range of devices and hosts it can compromise. As recently as April 2024, a new variant of redtail was documented, exploiting a critical vulnerability in Palo Alto Networks' PAN-OS (CVE-2024-3400). This vulnerability allows a threat actor to create an arbitrary file that could eventually enable command execution with root privileges on the NGFW, bypassing security measures in place [17]. The samples analyzed in this post offer a look into variants of redtail crypto mining malware actively circulating today.

Analysis of the Attack Observations

Based on an initial analysis that began with an earlier attack observation [19], on October 15, 2024, at 00:47:54 UTC, a threat actor using IP address 5.182.211.148 connected to the honeypot with the credentials "root/nimda." This was the threat actors’ first and only attempt at gaining access to the honeypot. The threat actor probed a single port, TCP/2222, before establishing the connection. The session ID for this connection was 99c515936ae6. After the threat actor gained access, they uploaded a total of 6 files to the honeypot: clean.sh, redtail.arm7, redtail.arm8,  redtail.i686, redtail.x86_64, and setup.sh.

The following screen capture for my honeypot shows the command the threat actor ran to install the scripts needed to prepare and run redtail.

After gaining access the threat actor makes clean.sh executable via the chmod -x command, then runs the script. This script appears to remove any attempt a previous threat actor has made to install cryptomining software, specifically disabling c3pool_miner, a Monero cryptomining tool, as well as any malicious cronjobs and scheduled tasks. After the script runs, the threat actor forcefully removes any evidence of the clean.sh script; this is accomplished using the rm -rf command. Below is a screenshot of the clean.sh script captured from my honeypot.

After the clean.sh script is removed, the threat actor follows the same steps to make setup.sh executable, runs the script, and then forcibly removes any evidence that the script was present on the system. Below is a screenshot of the setup.sh script captured from my honeypot. This screenshot will be referenced again later.

After the clean.sh and setup.sh scripts have been run and removed, the threat actor creates a .ssh directory, if it does not already exist. The threat actor then uses the chattr (change attribute) command with -ia to remove the immutable and append only attributes for the authorized_keys file under the .ssh directory. The threat actor then adds a SSH public key to the authorized_keys file by using the echo ssh-rsa ... rsa-key-20230629 command. This allowed the threat actor to gain persistent access without needing a password, establishing a backdoor. Then the chattr +ia command is run to reestablish the immutable and append only attributes to the authorized_keys file. This makes the file more difficult to delete, aiding in maintaining persistence. The uname -a command is run, displaying system information such as kernel version, hostname, and operating system. The final command to be run is echo -e \x61\x75\x74\x68\x5F\x6F\x6B\x0A; using cyberchef to convert the hexadecimal the line reads auth_ok ( \x61\x75\x74\x68\x5F\x6F\x6B) with a new line (\x0A) [20]. This shows that the SSH key has been added successfully.

Directly after the previous string of commands were run the logs show the 6 files being uploaded over secure FTP on port 69.

Focusing on the redtail files, a quick search of the file hash using virustotal shows that they are cryptomining malware. As an example, when the file hash for the first redtail variant (redtail.arm7) is run in virustotal it gets a community score of 31/64 [6].  That virustotal page can be seen in the following screenshot.

Further Analysis

From October 15th to November 11th the redtail malware attack has been attempted 4 times, all using the same clean.sh and setup.sh scripts and similar redtail files. The first of these attacks was highlighted in the previous section. This threat actor’s IP address, 5.182.211.148, came from The Netherlands, receiving a severity score of 5 of 5, a confidence score of 4 of 5, and a risk score of 4 or 5 by threatstop.com. When the IP was run in virustotal, it received a 10/94 community score [2]. Both threatstop and virusetotal confirmed that the IP was from The Netherlands. Below is a screenshot of the whois information for IP address 5.182.211.148 provided by threatstop.com.

The 3 other attacks made to the honeypot were made by two IP addresses 94.103.125.37 and 87.120.113.231, both originating in Bulgaria. These Bulgarian IP addresses had similar virustotal scores to the IP from The Netherlands; 94.103.125.37 received a 7/94 community score [3] and 87.120.113.231 received a 17/94 community score [4]. Though both threatstop and virustotal state that the IP addresses are from Bulgaria, the whois information for these IP addresses shows physical addresses in the United States, either Anchorage Alaska or Boulder Colorado.

During the analysis it was discovered that the redtail files uploaded by the Netherlands IP address differed from those uploaded by the Bulgarian Ip addresses. The Netherlands file hashes were as follows:

redtail.arm7    7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f
redtail.arm8    cebd34c54c9ac02902ef8554939cf6a34aa8f320ea051e0f3d67d91685a1abf0
redtail.i686    f1f34b7b798f8ec472b69eb5bd196381d749ced4d4a461d563896dfa827c84b6
redtail.x86_64    16782165ceb9ac6ac5e8d6db387de9c18b9c214031ef36c0b092f9314342414a

Bulgarian file hashes:

redtail.arm7    d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4
redtail.arm8    992cb5a753697ee2642aa390f09326fcdb7fd59119053d6b1bdd35d47e62f472
redtail.i686    69dc9dd8065692ea262850b617c621e6c1361e9095a90b653b26e3901597f586
redtail.x86_64    29f8524562c2436f42019e0fc473bd88584234c57979c7375c1ace3648784e4b

In all cases the hashes for the clean.sh and setup.sh files were the same. Due to the differences in redtail file hashes, I believe that the Bulgarian attacks may be coming from a single threat actor using a botnet to deliver their malware.

How to Protect Your System

Protecting your systems from cryptomining malware like redtail is crucial in today’s threat environment. One of the most fundamental measures for system protection is ensuring that all software is consistently patched with the latest security updates. In addition to system patching, deploying a reputable, full-featured antimalware solution can significantly reduce the risk of malware spreading or executing on your systems. Given the evolving nature of cryptominers, as well as other types of malicious software, it’s vital for system defenders to have the best tools at their disposal, and maintaining up-to-date antimalware solutions is an essential part of a complete defense strategy.

As outlined above, malware can also exploit vulnerabilities in security devices. A key defense strategy is to disable unused ports and services. In all observed attacks, adversaries used SFTP to transfer malicious files, often targeting common file transfer ports such as ports 69, 118, 132, and 566. If your system does not require file transfer services, blocking these ports can help prevent threat actors from delivering malicious payloads.

In every instance of attack observed, the adversary gained access via weak root login credentials on the honeypot. Without root-level access, the threat actors would have been unable to implant their own SSH key, a tactic used to establish persistence. It is considered a best practice to disable direct root logins on all systems to mitigate this risk.

To further protect against malware attempting to gain root access, consider implementing SSH shared keys, Fail2ban, or TCP Wrappers. SSH shared keys enable passwordless login through the use of a private key, reducing the risk associated with weak passwords. SSH shared keys work by generating a pair of keys that are shared and placed in the shared_keys file on each system allowing the individual, who is authorized, to access a system using a private key. Alternatively, TCP Wrappers offer a host-based access control mechanism, utilizing IP addresses or system names as tokens for access verification. When the token is legitimate, the system grants connection [15]. Additionally, Fail2ban provides an extra layer of protection by monitoring log files for suspicious entries and blocking unwanted IP addresses. It can integrate seamlessly with TCP Wrappers, IP tables, and firewall rules to help prevent unauthorized access [16] and mitigate threats like redtail.

A highly effective tactic for defending against not just cryptominers but all forms of malware is the use of centralized log monitoring, typically implemented through a Security Information and Event Management (SIEM) system. SIEMs are essential tools for malware detection and prevention, offering comprehensive visibility, advanced threat detection, and swift response capabilities. By aggregating logs and security data from across the network—including firewalls, antivirus solutions, endpoint detection systems, and other devices—SIEMs can correlate information to identify suspicious patterns or anomalies that may signal malware activity, such as unauthorized access attempts, unexpected file downloads, or unusual process executions. Many modern SIEMs also integrate with external threat intelligence feeds, enabling them to cross-reference internal activity with the latest information on known malware signatures, command-and-control servers, and malicious IP addresses. This integration allows SIEMs to swiftly detect and block threats before they can spread, enhancing overall network security.

Conclusion

In summary, redtail malware demonstrates the evolving sophistication of cryptomining threats, using scripts to identify CPU architecture and remove competing miners, while also exploiting system vulnerabilities for root access. Effective protection requires a comprehensive strategy including regular system and security patching, robust antimalware solutions, disabling direct root logins, use of a SIEM solution, and implementing SSH shared keys, Fail2ban, or TCP Wrappers. Blocking unnecessary ports and services further mitigates risk. The attacks observed on my honeypot highlight the importance of strong credentials and proactive defenses, underscoring the need for continuous vigilance against advanced threats.

[1] https://www.threatstop.com/check-ioc
[2] https://www.virustotal.com/gui/ip-address/5.182.211.148/detection
[3] https://www.virustotal.com/gui/ip-address/94.103.125.37/detection
[4] https://www.virustotal.com/gui/ip-address/87.120.113.231/detection
[5] https://www.virustotal.com/gui/file/d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e
[6] https://www.virustotal.com/gui/file/7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f
[7] https://www.virustotal.com/gui/file/cebd34c54c9ac02902ef8554939cf6a34aa8f320ea051e0f3d67d91685a1abf0
[8] https://www.virustotal.com/gui/file/f1f34b7b798f8ec472b69eb5bd196381d749ced4d4a461d563896dfa827c84b6
[9] https://www.virustotal.com/gui/file/16782165ceb9ac6ac5e8d6db387de9c18b9c214031ef36c0b092f9314342414a
[10] https://www.virustotal.com/gui/file/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
[11] https://www.virustotal.com/gui/file/d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4
[12] https://www.virustotal.com/gui/file/992cb5a753697ee2642aa390f09326fcdb7fd59119053d6b1bdd35d47e62f472
[13] https://www.virustotal.com/gui/file/69dc9dd8065692ea262850b617c621e6c1361e9095a90b653b26e3901597f586
[14] https://www.virustotal.com/gui/file/29f8524562c2436f42019e0fc473bd88584234c57979c7375c1ace3648784e4b
[15] https://en.wikipedia.org/wiki/TCP_Wrappers
[16] https://en.wikipedia.org/wiki/Fail2ban
[17] https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit
[18] https://xmrig.com/docs/miner
[19] Attack Observation 5.docx -- https://canvas.sans.edu/courses/409/assignments/4080?module_item_id=5346
[20] https://cyberchef.org/#recipe=From_Hex('Auto')&input=XHg2MVx4NzVceDc0XHg2OFx4NUZceDZGXHg2Qlx4MEE
[21] https://www.sans.edu/cyber-security-programs/bachelors-degree/

ChatGPT was utilized for assistance with refining grammar and enhancing the professionalism and readability of the blog post. All research, analysis, content creation, and technical details are my own or are referenced above.

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu