A newly discovered cryptojacking campaign, dubbed RedisRaider, is targeting publicly accessible Redis servers on Linux systems with an aggressive and technically complex attack chain.
Security researchers at Datadog have analyzed this emergent threat, which demonstrates advanced worm-like propagation, layered obfuscation, and multi-modal revenue generation raising the bar for Linux-centric cryptojacking operations.
RedisRaider’s Technical Arsenal
Unlike opportunistic malware, RedisRaider engages in systematic scanning of randomly generated IPv4 space segments, seeking Internet-facing Redis servers running on the default port 6379.
Exploiting legitimate Redis configuration commands, the worm issues the INFO command to fingerprint the host OS, proceeds with exploitation only if the target is Linux, and then leverages the Redis SET command to insert a malicious cron job via a time-limited database key.
This cron job, once written to the vulnerable host’s /etc/cron.d/apache, executes a base64-encoded shell script that downloads the Go-based primary payload positioned as an ELF binary.
The payload itself is heavily obfuscated using Garble (a Go language symbol obfuscator) and incorporates customized packing routines designed to thwart static analysis.
During runtime, the loader unpacks an embedded version of the popular XMRig Monero miner and shifts execution into profit-generating mining operations.
Obfuscation extends beyond code: RedisRaider exhibits subtle anti-forensics, such as configuring short key time-to-live (TTL) values, disabling Redis database compression for cron job persistence, and swiftly deleting evidence (e.g., via the DEL command).
Authentication mechanisms are attacked with brute-force attempts using hardcoded credential lists for Redis instances where password protection is enabled.
Multi-Pronged Infrastructure
Further infrastructure analysis revealed RedisRaider’s operators employing additional tactics for monetization.
In parallel to server-side mining, the adversaries hosted a web-based JavaScript Monero miner on related domains (such as a.hbweb[.]icu and c.hbweb[.]icu), effectively turning any web visitors into computational resources for cryptocurrency mining.
The attacker’s infrastructure, at the time of reporting, was also running other exposed services, including MongoDB and MySQL, on a South Korean server.
The domain’s JavaScript payloads are capable of dynamically loading a Monero miner, configured to use the operator’s Moneroocean wallet, ensuring that both infected servers and unsuspecting website visitors contribute to the attacker’s illicit mining operations.
This reflects a strategic shift: campaign operators are optimizing revenue not just via malware, but also leveraging browser-based mining as a parallel income channel.
RedisRaider employs concurrency through Go Goroutines, enabling simultaneous scanning, exploitation, and payload delivery at scale.
Post-infection, the malware tests outbound connectivity (e.g., by pinging httpbin[.]org) and resumes scanning for other Redis targets, ensuring continuous propagation.
The payload queries hardware characteristics (CPU core count, hugepage sizes, resource limits) to maximize mining efficiency.
Defense evasion is multifaceted: alongside code packing and Garble obfuscation, string obfuscation routines obscure operational strings using XOR arrays, frustrating static and even some dynamic analysis tools.
The mining binary is written to /tmp/mysql and executed under nohup to persist independently from the initial infection vector.
RedisRaider’s sophistication and deliberate multi-pronged strategy mark a trend toward mature, scalable, and evasive Linux malware.
Exposure of misconfigured Redis servers remains a critical risk; defenders are urged to implement protected mode, enforce strong authentication, segment networks, and monitor for suspicious configuration changes or abnormal process execution.
Detection solutions such as Datadog Workload Protection leverage eBPF to surface indicators like unauthorized cron modifications, network utility execution inside containers, or known malware hashes.
However, as RedisRaider demonstrates, robust hardening and visibility are paramount to thwart modern cryptojacking campaigns.
Indicators of Compromise (IOCs)
| Type | Context/Description | Value |
|---|---|---|
| SHA-256 | RedisRaider primary payload (ELF) | 8d2efe92846cdf9c258f0f7e0a571a8d63c80f0fa321cb2c713fb528ed29ba42 |
| SHA-256 | XMRig miner payload (ELF) | 7b2314bf8bf26ce3f3458b0d96921d259ee7b0be1c0b982c2a19d8c435b7e3ae |
| File path | Database dump/cron file | /etc/cron.d/apache |
| File path | Payload/Dropper/Miner | /tmp/mysql |
| URL | Payload delivery URL | http://a.hbweb[.]icu:8080/uploads/2024-7/99636-5b0c-4999-b.png |
| IP Address | Payload infrastructure | 58[.]229.206[.]107 |
| Domain | In-browser miner, infrastructure | a.hbweb[.]icu, c.hbweb[.]icu |
| Monero Wallet | Used by JS in-browser miner | 41nTqsXxuM8bPENEBDf1YmH9yKBhpfsJbgQGEcVetSsk2qCE5J97xtCAiDb7CQva8u7i9735rragqeiT2rN9Ekb91sMZ92G |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
