Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics
Jan. 9, 2025, 10:39 a.m.
Tags
External References
Description
This analysis focuses on redtail, a cryptocurrency mining malware that stealthily installs itself on compromised systems. The malware utilizes two additional scripts: one to identify the CPU architecture and another to remove existing cryptomining software. Observed attacks originated from IP addresses in the Netherlands and Bulgaria. The malware exploits weak root login credentials and uses SFTP to transfer malicious files. Protection strategies include regular patching, robust antimalware solutions, disabling direct root logins, implementing SSH shared keys or TCP Wrappers, and using SIEM systems for centralized log monitoring. The evolving sophistication of redtail highlights the need for comprehensive cybersecurity measures and continuous vigilance against advanced threats.
Date
Published: Jan. 9, 2025, 10:25 a.m.
Created: Jan. 9, 2025, 10:25 a.m.
Modified: Jan. 9, 2025, 10:39 a.m.
Indicators
f1f34b7b798f8ec472b69eb5bd196381d749ced4d4a461d563896dfa827c84b6
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4
cebd34c54c9ac02902ef8554939cf6a34aa8f320ea051e0f3d67d91685a1abf0
992cb5a753697ee2642aa390f09326fcdb7fd59119053d6b1bdd35d47e62f472
7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f
69dc9dd8065692ea262850b617c621e6c1361e9095a90b653b26e3901597f586
3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
29f8524562c2436f42019e0fc473bd88584234c57979c7375c1ace3648784e4b
16782165ceb9ac6ac5e8d6db387de9c18b9c214031ef36c0b092f9314342414a
87.120.113.231
5.182.211.148
Attack Patterns
c3pool_miner
redtail
T1021.004
T1070.004
T1562.001
T1082
T1105
T1543
T1027
T1053
T1078
T1059
CVE-2024-3400
Additional Informations
Bulgaria