RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign

Hackers with possible ties to the notorious North Korea-linked Lazarus Group are exploiting a recent critical vulnerability in Palo Alto Network’s PAN-OS software to run a sophisticated cryptomining operation that likely has nation-state backing.

In a report Thursday, threat researchers with Akamai said the bad actors behind this variant of the RedTail cryptomining malware are changing tactics, incorporating the PAN-OS flaw – tracked as CVE-2024-3400 – as well as using advanced evasion and persistence techniques and their own mining pools rather than public crypto wallets.

Some of the techniques mirror those used by the Lazarus Group – something that other researchers have suggested – and display a level of complexity and cost that suggest a nation-state like North Korea is behind the cryptomining campaign.

“There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon,” Akamai security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik wrote in the report. “The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state–sponsored attack group.

They added that “for any business, there is ongoing testing and evolution to ensure that the product (in this case, malware) is successful, which is unlikely to be done without some type of substantial financial backing. The malware was likely quite profitable if it garnered this degree of attention from a sophisticated group.”

RedTail Hit the Scene Months Ago

The RedTail cryptominer was first detected in December 2023 by researchers with Cyber Security Associates, who published a detailed report about it the following month. At the time, it was seen abusing the infamous Log4j vulnerability to mine Monero cryptocurrency using the same commands that the Akamai researchers wrote they found in the latest campaign.

A Lazarus advanced persistent threat (APT) subgroup called Andariel was detected late last year by Cisco’s Talos group running a campaign that exploited the Log4j flaw.

However, targeting the Palo Alto vulnerability to launch the operation is new, Barnett, Kupchik, and Zavodchik wrote. The cryptomining group behind the latest RedTail campaign in the past had targeted flaws found in TP-Link Router (CVE-2023-01389), VMware’s Workspace ONE Access and Identity Manager (CVE-2022-22954), ThinkPHO file inclusion and remote code execution (RCE) through pearcmd (no CVE), and ThinkPHP RCE (CVE-2018-20062).

The list also includes two bugs – CVE-2023-46805 and CVE-2024-21887 – in Ivanti’s SecureConnect, one of several of the software company’s products that have been hampered in recent months by vulnerabilities. Cybersecurity firm GrayNoise detected the abuse of the Ivanti flaws in cryptomining campaigns in January.

Group Abuses a PAN-OS Flaw

Palo Alto disclosed the PAN-OS zero-day vulnerability in an advisory April 11 that had been exploited by a threat group identified as UTA0218 to export device configuration data and to use it as an entry point into victims’ networks, according to report by Veloxity researchers that month.

The Akamai researchers wrote that the Palo Alto flaw “allows an attacker to create an arbitrary file that could eventually enable command execution with root user privileges. Specifically, by setting a particular value in the SESSID cookie, PAN-OS is manipulated into creating a file named after this value. When combined with a path traversal technique, this allows the attacker to control both the filename and the directory in which the file is stored.”

The specific malware servers that served the RedTail variant they tracked were active between early April and the beginning of this month, with the exploitation of the PAN-OS bug beginning at least April 21.

The researchers said initial research into the RedTail malware found that it could be used for distributed denial-of-service (DDoS) and cryptomining campaigns, then determine cryptomining was the bad actor’s goal. It’s a variant of XMRig – a legitimate cryptomining tool that often is used by cybercriminals – though there were significant differences from previous RedTail versions. The malware’s infrastructure uses multiple unrelated servers that are hosted by legitimate hosting companies.

“The malware did not make any ‘home calls’ to retrieve the mining configuration,” Barnett, Kupchik, and Zavodchik wrote. “Instead, the threat actors embedded XMRig’s code into their own code and added their own logic before and after it.”

New Modifications

Among the modifications was an encrypted mining configuration that the malware eventually decrypts before handing control over to the XMRig code. The threat actors also didn’t use a public crypto wallet, suggesting they opted to run their own mining pools or pool proxies, suggested a sophisticated operation in which they wanted greater control of the mining outcomes even those it meant increased operation and financial costs that come with running a private server.

“The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of cryptomining,” the researchers wrote. “Unlike the previous RedTail variant reported in early 2024, this malware employs advanced evasion and persistence techniques. It forks itself multiple times to hinder analysis by debugging its process and kills any instance of GDB it finds. To maintain persistence, the malware also adds a cron job to survive a system reboot.”

Money is the Goal

By exploiting the VMware and other flaws, the RedTail bad actors target Internet of Things (IoT) devices, web applications, SSL-VPNs, and security devices, such as Ivanti’s Connect Secure and Palo Alto’s GlobalProtect.

“Though one might assume that the threat actors who are exploiting SSL-VPNs and security devices … are primarily focused on gaining access to the internal network of an organization, these same vulnerabilities can also provide additional revenue streams for the attackers, including state sponsored actors,” they wrote.

That would be in line with North Korea, which runs cyberattacks to steal information and to fund it nuclear and ballistic missile operations. Reuters reported in February that United Nations investigators were looking at 58 cryptocurrency-related cyberattacks on companies by North Korea that brought in $3 billion that the country used for its weapons programs.