According to research by web infrastructure and security company Akamai, the threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security vulnerability affecting Palo Alto Networks firewalls (CVE-2024-3400, CVSS score: 10.0) to their toolkit and have updated the malware to incorporate new anti-analysis techniques.
Akamai discovered that attackers exploit this vulnerability in PAN-OS to execute arbitrary code with root privileges on the firewall. Upon successful exploitation, the attackers retrieve and run a bash shell script from an external domain, downloading the RedTail payload based on the CPU architecture. RedTail’s propagation mechanism also involves exploiting the following known vulnerabilities:
- TP-Link routers (CVE-2023-1389)
- ThinkPHP (CVE-2018-20062)
- Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887)
- VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954)
RedTail was first documented by security researcher Patryk Machowiak in January 2024 when it leveraged the Log4Shell vulnerability (CVE-2021-44228) to deploy malware on Unix-based systems. In March 2024, Barracuda Networks disclosed details of attacks using vulnerabilities in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install Mirai botnet variants and deploy RedTail via the ThinkPHP vulnerability.
The latest version of the RedTail miner was detected in April, featuring significant updates such as a cryptocurrency mining configuration that launches an embedded XMRig miner. Another notable change is the absence of a cryptocurrency wallet, indicating that the threat actors may have switched to private mining pools or pool proxies for financial gain.
Unlike the RedTail variants reported in early 2024, this malware employs advanced evasion and persistence techniques, such as forking itself multiple times, obstructing analysis by debugging its own processes, and killing any instances of the GNU debugger found.
Akamai describes RedTail as highly polished malware, which is rare among in-the-wild cryptocurrency mining malware families. Researchers concluded, “The investment required to run a private cryptocurrency mining operation is substantial, involving staffing, infrastructure, and obfuscation. This complexity may indicate an attack organization sponsored by a nation-state.”
