Undocumented Go-based malware is targeting Redis servers to seize control of the infected systems and likely construct a botnet network.
According to cloud security firm Aqua, the attacks exploit a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo.
The vulnerability, identified as CVE-2022-0543 (CVSS score: 10.0), is a sandbox escape in the Lua scripting engine that could be exploited for remote code execution.
This is not the first time the vulnerability has been actively exploited; Juniper Threat Labs discovered arbitrary command execution attacks perpetrated by the Muhstik botnet in March 2022.
Similar to the Redigo infection chain, adversaries scan for exposed Redis servers on port 6379 to gain initial access, and then download the shared library “exp lin. so” from a remote server.
This library file contains an exploit for CVE-2022-0543 that executes a command to retrieve Redigo from the same server, in addition to simulating legitimate Redis cluster communication over port 6379 to conceal its activity.
“The dropped malware mimics Redis server communication, enabling adversaries to conceal communications between the targeted host and the C2 server,” explained Aqua researcher Nitzan Yaakov.
It is unknown what the ultimate objective of the attacks is, but it is suspected that compromised hosts could be co-opted into a botnet to facilitate DDoS attacks or used to steal sensitive information from the database server to expand their reach.
