Hackers Leverage Redis Vulnerability to Deploy New Redigo Malware on Servers

In a concerning development for cybersecurity, a newly identified strain of Go-based malware is specifically targeting Redis servers, aiming to take control of these systems and potentially form a botnet. This malware, referred to as Redigo, exploits a critical vulnerability in the open-source, in-memory key-value store disclosed earlier this year, as reported by cloud security firm Aqua.

The vulnerability, designated as CVE-2022-0543, has a CVSS score of 10.0 and involves a sandbox escape in the Lua scripting engine. This flaw can be leveraged by attackers to achieve remote code execution, a tactic that poses significant risks to organizations utilizing Redis for database management.

This isn’t the first instance of this vulnerability being actively exploited. Juniper Threat Labs previously reported the Muhstik botnet targeting Redis servers in March 2022, using the same vulnerability to execute arbitrary commands. The new Redigo infection process shares similarities, beginning with the scanning of exposed Redis servers on port 6379 for initial access.

Once access is gained, the malware downloads a shared library named “exp_lin.so” from a remote server. This library includes the exploit for CVE-2022-0543 and executes commands to retrieve Redigo from the same source while simulating legitimate Redis cluster communication over port 6379.

Aqua researcher Nitzan Yaakov noted that the malware mimics Redis server communication, allowing attackers to obscure their communications between the compromised hosts and their command-and-control (C2) server. The true intentions behind these attacks remain unclear, but analysts suspect that these compromised systems could eventually be repurposed for DDoS attacks or to exfiltrate sensitive data from databases.

Organizations employing Redis should urgently review their security measures, particularly concerning the exposed instances on port 6379. Given the potential implications of botnet integration, as outlined in the MITRE ATT&CK framework, techniques such as initial access, persistence, and privilege escalation may be applicable to better understand the attack vector and enhance defensive strategies.