A new cryptojacking campaign has been discovered that targets insecure Redis database servers. The attack leverages a legitimate and open source command-line file transfer service to implement its attack. Underpinning this campaign was the use of transfer[.]sh.
The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads. The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh.
The payload is a script that paves the way for an XMRig cryptocurrency miner, but not before taking preparatory steps to free up memory, terminate competing miners, and install a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection.
Although it is clear that the objective of this campaign is to hijack system resources for mining cryptocurrency, infection by this malware could have unintended effects. Reckless configuration of Linux memory management systems could quite easily result in corruption of data or the loss of system availability.