Hackers Exploit Bug in Redis Servers To Drop New Bakcdoor Malware “Redigo”

Researchers uncovered a new backdoor malware dubbed “Redigo” written in Go -Language, which targets the Redis servers and drops a backdoor to gain complete control of the servers.

Redigo Malware was uncovered via vulnerable Redis honeypots where the attackers attempt to exploit the Redis vulnerability(CVE-2022-0543).

Redis (remote dictionary server) is an open-source in-memory database and cache based on a Unix-like operating system. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, and sorted sets.

“Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine” researchers from Aqua reported.

Redis architecture combined Redis clients and servers in which servers handle various operations such as storing data in memory and handling management processes.

Also, the server has a built-in Lua scripting engine that allows users to upload and execute Lua scripts directly on the server which helps users to efficiently perform the process read and writing data from scripts.

A vulnerability CVE-2022-0543 that was uncovered in Lua scripting engine allows threat actors to perform this attack on Redis server and drops the Redigo malware and gain server access.

Redigo Malware Infection Process

During the initial stage of this attack, Threat actors perform a mass scan using scanners or a botnet to find the vulnerable Redis servers that open to the internet on TCP port 6379.

To evade the detection, attackers follow a method that, a seemingly legitimate communication of Redis that simulates communication between Redis clusters using port 6379, which helps them to transfer the commands to the vulnerable server.

As a result, Redigo is a new Redis backdoor malware it remains undetected in Virus Total by all vendors during the investigation.

Researchers from Aqua intercept the communication between the vulnerable Redis server and the attacking server controlled by the threat actors and found several commands of following that were used as part of this attack.

• INFO command -A command that allows adversaries to receive information about our Redis server.
• SLAVEOF command –A command that allows adversaries to create a replica of the attacking server. 
• REPLCONF command – Configure the connection between the Master server and the replica server.
• PSYNC command – the new replica runs this command and initiates a replication stream from the master. 
• MODULE LOAD command – To Load dynamic library module allows for exploitation of the vulnerability and runs arbitrary commands later.
• SLAVEOF NO ONE command – this turns off the replication and converts the vulnerable Redis server into a master.

The library file exp_lin.so which we have seen in the above-captured communication is responsible to executes the code which exploits the vulnerability that was intentionally left in our honeypot server.

Researchers uncovered a file that contains the command “system.exec” which allows the attacker to execute an arbitrary command and initiate their attack.

“The command was used for two different purposes, the first one is activated to receive information about the CPU architecture, and the second time was used to download the newly discovered Redigo malware from the attacking server and eventually elevate the permissions of the file to execute on the server.” Aqua researchers detailed in the report shared with GBHackers.

Also dropped malware mimics the Redis server communication which allows the attackers to hide communications between the targeted host and the C2 server.

Researchers are unclear about the full scope of the impact, though the pattern of this attack lets add a targeted host to a large botnet which usually means that the compromised server will take a part in a Distributed Denial of Service (DDoS).

Managed DDoS Attack Protection for Applications – Download Free Guide