New Redigo Malware Injects Backdoor into Redis Servers

New Redigo malware
Written by William Reddy

Experts warned about the emergence of a new Redigo malware written in Go — the malware targets Redis servers and exploits the CVE-2022-0543 vulnerability to install a hidden backdoor and execute commands.

This vulnerability was discovered and fixed back in February of this year, but hackers continue to use it against unpatched systems, since not everyone installs patches on time, and a PoC exploit for this problem is freely available.

Let me remind you that we also wrote that Azov Ransomware Wiper Operators Try to Set Up Ukraine and Well-Known Information Security Specialists, and also that Hackers Used the CovalentStealer Malware to Infiltrate the Network of a Defense Enterprise in the United States.

According to specialists from AquaSec, their baits were recently infected with a new malware, which is not yet identified as a threat by antiviruses on Virus Total.

This malware is called Redigo, and experts say its attacks begin by scanning ports 6379 to find Redis servers that are accessible over the Internet. Once the target endpoint is found, the attacker connects and executes the following commands:

  1. INFO – Redis version check to determine if the server is vulnerable to CVE-2022-0543;
  2. SLAVEOF – create a server copy;
  3. REPLCONF – configure server connection to the newly created replica;
  4. PSYNC – initiating streaming replication and loading the library onto the server disk;
  5. MODULE LOAD – loading a module from a downloaded dynamic library capable of executing arbitrary commands and exploiting CVE-2022-0543;
  6. SLAVEOF NO ONE – make the vulnerable Redis server the master.

New Redigo malware

After that, using the capabilities of the injected backdoor, the attackers collect information about the host’s hardware, and then download Redigo (redis-1.2-SNAPSHOT) to it. Moreover, the malware is launched after privilege escalation.

AquaSec analysts were unable to determine what Redigo was doing after gaining a foothold in the system, due to the fact that the duration of the noticed attack was limited. However, it is known that attackers try to hide their presence and the traffic of Redigo control servers, and to do this, they imitate normal communications with Redis through port 6379.

The researchers believe that the ultimate goal of Redigo is likely to be cryptocurrency mining or organizing DDoS attacks using compromised servers.

Let me also remind you that the media wrote that Coin mining trojans are injected through the Confluence vulnerability.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment