A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution.
CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed in February 2022.
Attackers continued to leverage it on unpatched machines several months after the fix came out, as proof-of-concept exploit code became publicly available.
The name of the malware, Redigo, was coined from the machine it targets and the programming language for building it.
Today, AquaSec reports that its Redis honeypots vulnerable to CVE-2022-0543 caught a new piece of malware that is not detected as a threat by antivirus engines on Virus Total.
AquaSec says that Redigo attacks start with scans on port 6379 to locate Redis servers exposed on the open web. After locating a target endpoint, the atacker connect and run the following commands:
- INFO – Check the Redis version to determine if the server is vulnerable to CVE-2022-0543.
- SLAVEOF – Create a copy of the attacking server.
- REPLCONF – Configure the connection from the attacking server to the newly created replica.
- PSYNC – Initiate the replication stream and download the shared library ‘exp_lin.so’ on the server’s disk.
- MODULE LOAD – Load module from the downloaded dynamic library, which is capable of executing arbitrary commands and exploiting CVE-2022-0543.
- SLAVEOF NO ONE – Covert the vulnerable Redis server into master.
Using the command execution abilities of the implanted backdoor, the attackers collect hardware info about the host and then download Redigo (redis-1.2-SNAPSHOT). The malware is executed after escalating privileges.
The attackers simulate normal Redis communication over port 6379 to evade detection by network analysis tools while attempting to hide traffing from Redigo’s command and control server.
Due to attack duration limitations in AquaSec’s honeypots, its analysts couldn’t determine exactly what Redigo does after establishing its foothold in the environment.
AquaSec says it’s likely that the ultimate goal of Redigo is to add the vulnerable server as a bot in a network for distributed denial-of-service (DDoS) attacks or to run cryptocurrency miners on the compromised systems.
Also, since Redis is a database, accessing the data to steal it would also be a plausible scenario in Redigo attacks.
For more information on mitigating the Redis flaw, check out the Debian security advisory or Ubuntu’s security bulletin on CVE-2022-0543.