- Security researchers identified a new Malware, RedisRaider, targeting misconfigured Redis servers for cryptocurrency mining.
- The malware spreads aggressively using weak Redis settings and installs the XMRig Monero miner on Linux systems.
- RedisRaider uses advanced obfuscation and anti-forensics methods to stay hidden and make detection difficult.
- The campaign also involves a web-based Monero miner, expanding its reach beyond just server attacks.
- Experts recommend stronger authentication, restricted access to Redis ports, and enhanced system monitoring as key defenses.
A newly discovered malware campaign named RedisRaider is compromising poorly configured Redis servers to mine cryptocurrency, according to findings by Datadog Security Labs. The malware, written in the Go programming language, exploits weak security settings to install the XMRig Monero mining software on Linux systems.
Researchers at Datadog Security Labs report that RedisRaider spreads quickly by scanning the internet for vulnerable Redis servers on the default port 6379. After confirming a system runs on Linux, the malware deploys itself using Redis database commands and sets up an automated task (called a cron job) to maintain its presence.
The attackers behind RedisRaider use advanced techniques to avoid detection. Their malware is heavily obfuscated using Garble, a tool that hides key functions in the code and makes analysis difficult. Additionally, the campaign uses methods like setting a short time-to-live for keys in Redis, generating temporary files in cron directories to blend with legitimate processes, and deleting keys and log files after execution.
The research team also found that RedisRaider infrastructure supports a web-based Monero miner. This extension lets attackers earn cryptocurrency from both infected Linux servers and unsuspecting website visitors. “In addition to server-side cryptojacking, RedisRaider’s infrastructure also hosted a web-based Monero miner, enabling a multi-pronged revenue generation strategy,” according to the Datadog Security Labs report.
One server linked to the campaign, operating on IP address 58.229.206[.]107, was running multiple database and web services. It also hosted a suspicious JavaScript file, suggesting coordinated activity across different platforms.
Experts recommend several defenses against this threat, including running Redis in protected mode, enabling strong authentication, restricting access to server ports, and continuously monitoring for unexpected jobs or files. Enhanced monitoring tools that can detect new cron job creation and known malware activity are also advised.
The report from Datadog Security Labs concludes that RedisRaider marks a significant new development in Linux-based cryptojacking threats, combining rapid self-spreading, complex system interactions, and layered methods for avoiding detection. Organizations are urged to review the configuration of their Redis servers, limit network exposure, and patch any weaknesses promptly.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Prosecutors Accuse SafeMoon CEO Karony of Lying, Hiding Millions
- Ethereum Eyes $3,600 Breakout as Bull Flag and Key Channel Signal Rally
- Milei Dissolves Crypto Probe Unit Amid LIBRA Scandal Fallout
- Genesis Sues DCG and CEO Silbert, Seeks $3.2B in Crypto Transfers
- Radix Community Backs Repurposing of 2.4B XRD Stablecoin Reserve
