A new cryptocurrency mining worm has been observed targeting servers using the Redis data structure store. Named RedisWannaMine, it also uses the EternalBlue SMB exploit to propagate.
Initial delivery involves exploiting an Apache Struts remote code execution vulnerability to install a dropper. This dropper then attempts to gain persistence using new crontab entries as well as remote access using a new SSH key and iptables entries. It will then download the payload.
RedisWannaMine exploits the vulnerability CVE-2017-9805. This is a particular Apache Struts vulnerability that goes after the Struts REST plugin with XStream handler.
RedisWannaMine uses numerous Linux packages, either downloaded from GitHub or contained within the initial download. The cryptomining module is first run, before a secondary module begins scanning port 6379 using a large list of internal and external IP addresses. When this module discovers an open port, it will execute another process to infect the new server. Once the Redis scan is completed a secondary scan is initiated to scan port 445 using the same IP list, again infecting new servers if open ports are found.
- Database and application servers using Redis
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.