RedTail Cryptominer Malware Targets PAN-OS Vulnerability

In a recent report, the Akamai Threat Research Team revealed a concerning evolution of the RedTail cryptomining malware. Known for its profitability and widespread impact, RedTail now targets the critical Palo Alto Networks PAN-OS vulnerability (CVE-2024-3400), expanding its arsenal for malicious gains.

On April 11, 2024, Palo Alto Networks disclosed a zero-day vulnerability in their PAN-OS-based products. The vulnerability, identified as CVE-2024-3400, allows attackers to create arbitrary files, potentially leading to command execution with root privileges. This is achieved by manipulating the SESSID cookie value and using a path traversal technique to control the file’s name and directory. The vulnerability is specific to the GlobalProtect feature of certain PAN-OS versions, with Cloud NGFW, Panorama appliances, and Prisma Access remaining unaffected.

Following the public disclosure of this exploit, Akamai observed a surge in activity, including vulnerability probes and attempts to execute commands that download and run bash scripts from various IP addresses. The scripts checked the victim’s processor architecture and downloaded compatible binaries, a behavior typical of distributed denial-of-service (DDoS) and cryptomining malware. The malware file named “.redtail” confirmed the presence of the RedTail cryptominer, previously reported by Cyber Security Associates (CSA) in January 2024.

RedTail was first identified in December 2023, exploiting the Log4j vulnerability to mine Monero cryptocurrency. The new variant analyzed by Akamai showed significant modifications. Unlike previous versions, it did not contact a server for its mining configuration but embedded the XMRig code within its own logic. The mining configuration was encrypted and decrypted during execution, revealing no wallet address, suggesting the use of private mining pools for greater control over mining outcomes.

The cryptominer also showcased advanced evasion and persistence techniques, including multiple process forking to hinder debugging and adding cron jobs to survive system reboots. These sophisticated tactics indicate a deep understanding of cryptomining operations and efforts to maximize efficiency using the RandomX algorithm and hugepages configuration.

The threat actors behind RedTail are also targeting other vulnerabilities, such as:

• Ivanti Connect Secure SSL-VPN (CVE-2023-46805 and CVE-2024-21887)
• TP-Link Router (CVE-2023-1389)
• VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954)
• ThinkPHP remote code execution (CVE-2018-20062)

Additionally, the malware contains embedded URLs corresponding to various CGI-Bin remote code execution variants and the PHPUnit exploit (CVE-2017-9841), although these were not exploited in this campaign.

The adoption of CVE-2024-3400 by the RedTail cryptominer threat actors underscores the relentless evolution of cyber threats. The sophisticated tactics, use of private mining pools, and advanced evasion techniques reflect a high level of expertise and resources. Organizations must prioritize patching vulnerabilities and implementing robust security measures to defend against such advanced threats.