Analysis Summary

The threat actors behind the RedTail cryptocurrency mining malware have expanded their toolkit of exploits to include a newly discovered security vulnerability affecting Palo Alto Networks firewalls.

Findings from web infrastructure and researchers show that the malware has been updated to include new anti-analysis tactics and the PAN-OS vulnerability added to its arsenal. The attackers have progressed by employing private crypto-mining pools to have more control over mining outcomes, despite the increased operations and financial costs.

The infection sequence identified by cybersecurity analysts takes advantage of a PAN-OS vulnerability that has since been patched and is identified as CVE-2024-3400 (CVSS score: 10.0). This vulnerability might grant an unauthorized user the ability to execute arbitrary code on the firewall with root privileges. After successful exploitation, commands are executed to download and run a bash shell script from an external domain. This script downloads the RedTail payload according to the CPU architecture.

RedTail can also spread in other ways, such as by taking advantage of vulnerabilities in ThinkPHP (CVE-2018-20062), TP-Link routers (CVE-2023-1389), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). The first record of RedTail dates back to January 2024, and it concerned a campaign that infected Unix-based systems with malware by leveraging the Log4Shell vulnerability (CVE-2021-44228).

Then, in March 2024, researchers released information about cyberattacks that took advantage of ThinkPHP flaws to install RedTail and SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) vulnerabilities to install Mirai botnet variants. A key change included in the miner's most recent version, discovered in April, is the inclusion of an encrypted mining configuration that starts the embedded XMRig miner. The lack of a cryptocurrency wallet is another obvious shift, suggesting that the threat actors may have shifted to using a private mining pool or a pool proxy to profit financially.

The setup also demonstrates the threat actors' attempt to maximize mining efficiency, demonstrating a thorough knowledge of cryptocurrency mining. This malware uses sophisticated evasion and persistence strategies, in contrast to the earlier RedTail strain first discovered in early 2024. It repeatedly forks itself, killing any instance of GNU Debugger it finds and debugging its process to obstruct analysis. RedTail has a high level of polish, which is uncommon among families of cryptocurrency miner malware that are out in the public.

Although the identity of the perpetrator of the cryptocurrency mining software is unknown right now, the researchers pointed out that the usage of private crypto-mining pools is similar to a strategy employed by the Lazarus Group, which is connected to North Korea and has a history of planning extensive cyberattacks for financial benefit. Operating a private cryptocurrency mining operation involves large expenditures for infrastructure, personnel, and obfuscation. This level of sophistication could be a sign of a threat group funded by a nation-state.

Impact

• Unauthorized Access
• Code Execution
• Financial Loss

Indicators of Compromise

Remediation

• Refer to Palo Alto Security Advisory for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.