Redis Servers Exploited to Deploy Metasploit Meterpreter Backdoor

Security experts at AhnLab Security Intelligence Center (ASEC) have sounded the alarm on a new wave of attacks targeting Redis servers. Threat actors are compromising these popular data stores to install the potent Metasploit Meterpreter backdoor. This trend is particularly concerning as Redis, an open-source in-memory data structure store, finds widespread application across industries for purposes like session management, message brokering, and queues.

Redis, an acronym for Remote Dictionary Server, is an open-source, in-memory data structure store, employed as a database, cache, and message broker. Its versatility and widespread adoption have unfortunately made it an attractive target for cybercriminals. The threat actors in this instance exploited vulnerabilities in Redis—presumably through misconfigurations or by commandeering vulnerabilities—to install not just the Metasploit Meterpreter but also a variety of malware including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab.

Meterpreter backdoor downloaded from the C&C server

What sets this attack apart is the targeting of systems running on Windows via an outdated version of Redis (version 3.x, circa 2016), exposing them to a plethora of vulnerabilities. The attackers commenced their intrusion by deploying PrintSpoofer—a privilege escalation tool—using PowerShell’s “invoke-webrequest” command. This tool, notorious for exploiting the SeImpersonatePrivilege to elevate privileges, signifies a meticulous approach to undermining system defenses, often in poorly managed or unpatched services.

The use of PrintSpoofer, intriguingly available as open-source on GitHub, was cleverly modified by the attackers (altering strings such as “nilaina mana”) to dodge detection mechanisms.

Post establishing a foothold via PrintSpoofer, the attackers deployed Metasploit’s Stager malware to introduce the Meterpreter backdoor. Metasploit, a penetration testing framework, is a double-edged sword—while it’s a boon for security professionals in identifying vulnerabilities, it’s equally a potent weapon for adversaries. Meterpreter, akin to Cobalt Strike’s Beacon, facilitates a range of malicious activities from initial payload delivery to lateral movement within the network.

The attackers utilized a staged approach, employing a reverse TCP method to install Stager, which then fetched Meterpreter from a command and control (C&C) server. This maneuver enabled them to execute Meterpreter directly in memory, rendering it evasive and allowing for the commandeering of the compromised system.

This report is a reminder that threat actors are constantly evolving their tactics. As the popularity of tools like Redis increases, so does the importance of implementing strong security practices around their deployment and monitoring them diligently for signs of compromise.