A new cryptojacking campaign named RedisRaider is actively targeting misconfigured Redis servers to mine cryptocurrency, security researchers have warned. The malware is specifically designed to exploit unsecured Redis instances on Linux systems to install and run the XMRig Monero miner.
According to researchers at DATADOG Security Labs, the attackers do not rely on software vulnerabilities. Instead, they abuse legitimate Redis configuration commands to execute malicious scripts on target machines, turning them into part of a distributed mining operation.
Self-Spreading Malware with Worm-Like Capabilities
RedisRaider has worm-like features that allow it to scan the internet for vulnerable Redis servers, particularly those exposed on the default port 6379. Once found, the malware checks if the Redis server is running on Linux and begins exploitation.
How the Infection Works
The malware uses Redis’s built-in SET and CONFIG commands to load a malicious cron job onto the target system. It does this by:
- Sending a base64-encoded shell script using
SETas a key. - Changing Redis’s directory to
/etc/cron.d. - Renaming the database file to “apache”.
- Triggering
BGSAVEto write the malicious content as a scheduled cron job.
Once installed, the cron job downloads and executes the main RedisRaider payload from the attacker’s server. This payload is stored in /tmp/mysql, made executable, and run in the background using nohup to maintain persistence.
Obfuscation and Evasion Techniques
The malware is compiled in Go and obfuscated using Garble, a tool that hides the inner workings of Go binaries. It also uses short-lived Redis keys with a time-to-live (TTL) of just 120 seconds to make detection more difficult.
Once active, RedisRaider connects to mining pools to begin mining Monero, all while continuing to search for and infect new Redis servers.
Wider Impact and Sophisticated Infrastructure
In addition to server-side cryptojacking, researchers found that the attackers also host browser-based miners to generate additional revenue from website visitors. The campaign shows signs of a coordinated effort by experienced threat actors with deep knowledge of Linux systems, Redis internals, and Go programming.
The attackers have implemented anti-forensics techniques and maintain persistence using cron jobs and stealthy communication methods. These advancements highlight a shift toward more professional and hard-to-detect cryptojacking campaigns.
Security Recommendations
Security experts urge administrators to:
- Secure Redis instances with strong authentication and access controls.
- Avoid exposing Redis servers directly to the internet.
- Monitor systems for unusual CPU usage or unauthorized cron jobs.
- Keep server software and configurations updated.
RedisRaider is a clear example of how attackers continue to evolve, using legitimate tools in malicious ways to build stealthy and profitable malware operations.
