Article Details

Go-Based Malware Deploys XMRig Miner on Linux Hosts via Redis Configuration Abuse. Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems," security researchers Matt Muir and Frederic Baguelin said. The end goal of the campaign is to drop a Go-based primary payload that's responsible for unleashing an XMRig miner on compromised systems. The activity entails using a bespoke scanner to identify publicly accessible Redis servers across the internet and then issuing an INFO command to determine if the instances are running on a Linux host. If it's found to be the case, the scanning algorithm proceeds to abuse Redis's SET command to inject a cron job. The malware then uses the CONFIG command to change the Redis working directory to "/etc/cron.d" and write to the location a database file named "apache" so that it's periodically picked by the cron scheduler and runs a Base64-encoded shell script, which subsequently downloads the RedisRaider binary from a remote server. The payload essentially serves as a dropper for a bespoke version of XMRig and also propagates the malware to other Redis instances, effectively expanding its reach and scale. "In addition to server-side cryptojacking, RedisRaider's infrastructure also hosted a web-based Monero miner, enabling a multi-pronged revenue generation strategy," the researchers said. "The campaign incorporates subtle anti-forensics measures, such as short-key time-to-live (TTL) settings and database configuration changes, to minimize detection and hinder post-incident analysis." The disclosure comes as Guardz disclosed details of a targeted campaign exploiting legacy authentication protocols in Microsoft Entra ID to brute-force accounts. The activity, observed between March 18 and April 7, 2025, has been found to leverage BAV2ROPC (short for "Basic Authentication Version 2 - Resource Owner Password Credential") to bypass defenses like multi-factor authentication (MFA) and Conditional Access. "The tracking and investigation revealed systematic exploitation attempts that leveraged BAV2ROPC's inherent design limitations, which predated contemporary security architectures," Elli Shlomo, head of security research at Guardz, said. "The threat actors behind this campaign showed a deep understanding of identity systems." The attacks are said to have originated mainly from Eastern Europe and the Asia-Pacific regions, primarily targeting admin accounts using legacy authentication endpoints. "While regular users received the bulk of authentication attempts (50,214), admin accounts and shared mailboxes were targeted at a specific pattern, with admin accounts receiving 9,847 attempts across 432 IPs over 8 hours, suggesting an average of 22.79 attempts per IP and a velocity of 1,230.87 attempts per hour," the company said. "This indicates a highly automated and concentrated attack campaign specifically designed to compromise privileged accounts while maintaining a broader attack surface against regular users." This is not the first time legacy protocols have been abused for malicious activities. In 2021, Microsoft divulged a large-scale business email compromise (BEC) campaign that used BAV2ROPC and IMAP/POP3 to circumvent MFA and exfiltrate email data. To mitigate the risks posed by such attacks, it's advised to block legacy authentication via a Conditional Access policy, disable BAV2ROPC, and turn off SMTP AUTH in Exchange Online if not in use.