RedTail Cryptomining Malware Exploits PAN-OS Vulnerability

Researchers from Akamai say the threat actor behind cryptomining software dubbed RedTail because of its redtail hidden file name evinces a deep understanding of cryptomining.

It appears that threat actors operate their own mining pools or pool proxies rather than using public ones. “They are opting for greater control over mining outcomes despite the increased operational and financial costs associated with maintaining a private server,” Akamai researchers said. The hackers also “use the newer RandomX algorithm” for greater efficiency and alter operating system configuration to use larger memory blocks – hugepages – to boost performance.

Hackers’ use of private mining pools mirrors tactics used by North Korea’s Lazarus Group, although Akamai doesn’t attribute the hackers to any group. Cash-starved North Korea is notorious for for-profit hacking operations that include a heavy dosage of cryptocurrency theft and other creative ways to evade sanctions to raise money (see: US FBI Busts North Korean IT Worker Employment Scams).

After being initially spotted earlier this year, the RedTail malware has evolved to include anti-research techniques, making it more challenging for security researchers to analyze and mitigate the threat.

Akamai says its operators were quick to exploit the PAN-OS vulnerability tracked as CVE-2024-3400, which allows attackers to create an arbitrary file enabling command execution with root user privileges (see: Likely State Hackers Exploiting Palo Alto Firewall Zero-Day).

Additional notable targets include TP-Link routers, the China-origin content management system ThinkPHP and Ivanti Connect Secure. Security researchers warn that advanced hackers, including state-sponsored threat actors, are focusing on edge devices due to their patchy endpoint detection and proprietary software that hinders forensic analysis (see: State Hackers’ New Frontier: Network Edge Devices).