The famous cryptojacking campaign has found a new interest in Redis after discovering a misconfigured Redis database with genuine open-source command-line file transfer services. The campaign has the sole aim of hijacking system resources for mining cryptocurrency. The evidence proved that an inadvertent activity could follow the process in a statement by a spokesperson saying, “Reckless configuration of Linux memory management systems could quite easily result in corruption of data or the loss of system availability.”
Although several reports by security firms have given insight into this attack walk-through, Cado security has affirmed that the campaign uses a transfer[.]sh, and its command line interaction has positioned it as a perfect tool for hosting and delivering malicious payloads.
Further investigations have also revealed that the payload functionality follows the process of freeing up memory, terminating competing miners, installing pnscan to identify vulnerable Redis servers, and expanding access and allowing an XMRig cryptocurrency miner.
Research by Avertium revealed new attacks using SSH servers to brute-force the deployment of XorDdos botnet malware on servers to launch distributed denial-of-service (DDoS)attacks against organizations in China and the United States, which is similar to other threat actors, like TeamTNT and WatchDog attacks.
Between October and December 2022, the development has propelled the discovery of 1.2 million unauthorized SSH connection attempt across 18 honeypots, with 42% originating from ChinaNet Jiangsu Province Network and thousands of IP addresses from all over the world.
Further discoveries and explanations by Avertium revealed that open ports are subjected to an instant brute-force attack against the root account using a list of over 17,000 passwords after a successful scan. A XorDDoS bot installation accompanies the success of the brute-force attack.
