<— Back

Beyond the Radar: Analysing the Linux Variant of RedTail Malware

In the current cybersecurity landscape, Linux systems are increasingly targeted by sophisticated threats and malware, with RedTail serving as a prime example. While the Windows variant of this malware has received considerable attention, its Linux counterpart has largely gone unnoticed. This presentation aims to comprehensively examine this lesser-known Linux variant.

RedTail is a sophisticated malware designed for unauthorized cryptocurrency mining, specifically targeting Monero. First identified in January 2024, it has been active since at least December 2023. Recent iterations demonstrate enhanced evasion and persistence mechanisms, highlighting the significant expertise and resources behind its development.

Previously, RedTail was delivered by exploiting several vulnerabilities, including those affecting ThinkPHP (CVE-2018-20062), Log4j (CVE-2021-44228), VMWare Workspace ONE (CVE-2022-22954), TP-Link routers (CVE-2023-1389), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and PAN-OS (CVE-2024-3400).

This presentation will analyse a recent campaign that delivered newer versions of RedTail via exploits of CVE-2024-4577, a critical security vulnerability in PHP servers.

Through a detailed analysis and structured workflow, we will explore RedTail’s inner workings. This deep dive will include an overview of RedTail’s behaviour, persistence mechanisms, interactions with miner pools, encrypted communication methods, monitoring and concealment capabilities, and the development of a Command and Control (C2) environment. By understanding these aspects, we aim to shed light on this sophisticated threat and enhance our defense strategies against it.