The RedTail cryptocurrency mining malware has been observed exploiting a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS.
This vulnerability, tracked as CVE-2024-3400, has a CVSS score of 10.0, indicating its severity. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on the affected firewall systems, posing a substantial threat to organizations relying on these devices for network security.
The exploitation process begins with the attackers leveraging the CVE-2024-3400 vulnerability to gain unauthorized access to the firewall.
Once access is obtained, the attackers execute commands to retrieve and run a bash shell script from an external domain.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
This script is responsible for downloading the RedTail payload, which is tailored to the compromised system’s CPU architecture.
The malware then initiates its cryptomining operations, utilizing the system’s resources to mine cryptocurrency.
Advanced Techniques and Evasion
The latest iteration of RedTail incorporates several advanced techniques to evade detection and analysis.
According to Akamai’s security researchers, the malware now includes new anti-analysis features, such as forking itself multiple times to hinder debugging efforts and terminating any instances of the GNU Debugger (GDB) it encounters.
These enhancements make it more challenging for security professionals to analyze and mitigate the threat.
The malware’s configuration has also been updated to include an encrypted mining setup, which launches the embedded XMRig miner.
Notably, the latest version of RedTail does not contain a cryptocurrency wallet, suggesting that the threat actors have shifted to using private mining pools or pool proxies.
This change allows them greater control over mining outcomes despite the increased operational and financial costs of maintaining a private server.
RedTail’s impact is not limited to Palo Alto Networks firewalls. The malware has also been observed exploiting other known vulnerabilities in various devices and software, including TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).
This range of targets highlights the malware’s versatility and the attackers’ extensive knowledge of different systems.
RedTail was first documented in January 2024 by security researcher Patryk Machowiak, who identified its use in a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based systems.
Since then, the malware has evolved significantly. In March 2024, Barracuda Networks reported cyber attacks that leveraged flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install Mirai botnet variants and deploy RedTail.
The latest version detected in April 2024 includes significant updates, such as the use of the RandomX algorithm for greater mining efficiency and modifications to the operating system configuration to utilize larger memory blocks (hugepages), enhancing performance.
While Akamai has not attributed the RedTail malware to any specific group, the sophistication, and resources required to operate a private cryptomining pool suggest the involvement of a nation-state-sponsored group.
The tactics the threat actors employ mirror those used by North Korea’s Lazarus Group, known for its for-profit hacking operations and cryptocurrency thefts.
The exploitation of the CVE-2024-3400 vulnerability by the RedTail cryptominer underscores the critical need for organizations to apply security patches and updates promptly.
IOCs
| Indicator type | Indicator value |
|---|---|
| Exploits origin IP addresses | 92.118.39.120193.222.96.16379.110.62.2534.127.194.11192.18.157.25168.170.165.3694.74.75.19 |
| Malware hosting servers | 193.222.96.16394.156.79.6094.156.79.129185.216.70.13878.153.140.51 |
| Domain names | proxies.identitynetwork.top |
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.