The threat actors behind the RedTail cryptocurrency mining malware have upped their game by incorporating a recently disclosed security flaw affecting Palo Alto Networks firewalls into their exploit arsenal. According to findings from web infrastructure and security company Akamai, the malware now includes new anti-analysis techniques and utilizes private crypto-mining pools for greater control over mining outcomes.
The infection sequence discovered by Akamai exploits a now-patched vulnerability in PAN-OS that could allow an attacker to execute arbitrary code with root privileges on the firewall. Once successful, the malware retrieves and runs a bash shell script from an external domain to download the RedTail payload based on the CPU architecture.
RedTail has been known to exploit various security flaws in TP-Link routers, ThinkPHP, Ivanti Connect Secure, and VMWare Workspace ONE Access and Identity Manager. The latest version of the malware detected in April includes an encrypted mining configuration to launch the XMRig miner, indicating a deep understanding of crypto-mining by the threat actors.
The sophistication and level of polish observed in RedTail suggest a high level of investment in running a private crypto-mining operation, leading researchers to speculate that the attack group behind it may be nation-state-sponsored. This advanced malware employs evasion and persistence techniques to hinder analysis, making it a notable threat in the cryptocurrency mining landscape.
Stay updated on the latest cybersecurity news by following us on Twitter and LinkedIn for more exclusive content.