Cybersecurity researchers are turning their attention to a new Linux Cryptojacking campaign targeting publicly accessible Redis servers.
Malicious activity is called Redisraider and codename by DataDog Security Labs.
“Redisraider aggressively scans the randomized portion of IPv4 space and uses legitimate Redis configuration commands to run malicious Cron jobs on vulnerable systems,” said security researchers Matt Muir and Frederic Baguerin.
The ultimate goal of the campaign is to drop the GO-based primary payload, which is responsible for unlocking XMRIG miners on compromised systems.
This activity involves using a bespoke scanner to identify public Redis servers on the Internet and issuing information commands to determine whether the instance is running on a Linux host. If it turns out to be true, the scan algorithm exploits the set command from Redis to inject the Cron job.
Malware then uses the Config command to change Redis Working Directory to “/etc/cron.d”, writes a database file named “Apache” to the location, and runs a shell script that is periodically selected by the Cron scheduler and encoded with Base64.
The payload essentially acts as a dropper for a bespoke version of Xmrig, propagating malware to other Redis instances, effectively expanding its reach and scale.
“In addition to server-side cryptojacking, Redisraider’s infrastructure also hosted web-based Monero Miner, enabling a multi-faceted revenue generation strategy,” the researcher said.
“The campaign incorporates subtle anti-rich measurements such as short time to time (TTL) settings and database configuration changes, minimizing detection and hindering post-hoc analysis.”
This disclosure occurs when Guardz discloses details of a target campaign that uses the legacy authentication protocol for Microsoft Entra IDs for brute force accounts. Activities observed between March 18th and April 7th, 2025 have been found to utilize Bav2OPC (short for Basic Authentication Version 2 – Resource Owner Password Qualification) to bypass defenses such as Multi-Factor Authentication (MFA) and conditional access.
“The tracking and investigation reveals systematic attempts at exploitation that utilize Bav2ropc’s inherent design restrictions that go further than modern security architectures,” said Elli Shlomo, head of security research at Guardz. “The threat actors behind this campaign have shown a deep understanding of the identity system.”
The attacks are said to have originated primarily from Eastern Europe and the Asia-Pacific region, and are primarily targeting administrator accounts using legacy authentication endpoints.
“Although normal users received the majority of authentication attempts (50,214), the admin accounts and shared mailboxes target a specific pattern, with the admin accounts taking 9,847 attempts with 432 IP over eight hours, suggesting an average of 22.79 attempts and 1,230.87 attempts per IP,” the company said.
“This illustrates a highly automated, concentrated attack campaign designed specifically to compromise privileged accounts while maintaining a broader attack surface against normal users.”
This is not the first time legacy protocols have been abused due to malicious activities. In 2021, Microsoft revealed a massive Business Email Compromise (BEC) campaign that uses bav2ropc and imap/pop3 to avoid MFA and remove email data.
To mitigate the risk posed by such attacks, we recommend blocking legacy authentication via conditional access policies, disabling BAV2OPC, and turning off SMTP AUTH with online exchanges if not in use.
Source link
