Beyond the Radar: Analysing the Linux Variant of RedTail Malware
In the current cybersecurity landscape, Linux systems are increasingly targeted by sophisticated threats and malware, with RedTail serving as a prime example. While the Windows variant of this malware has received considerable attention, its Linux counterpart has largely gone unnoticed. This presentation aims to comprehensively examine this lesser-known Linux variant.
RedTail is a sophisticated malware designed for unauthorized cryptocurrency mining, specifically targeting Monero. First identified in January 2024, it has been active since at least December 2023. Recent iterations demonstrate enhanced evasion and persistence mechanisms, highlighting the significant expertise and resources behind its development.
Previously, RedTail was delivered by exploiting several vulnerabilities, including those affecting ThinkPHP (CVE-2018-20062), Log4j (CVE-2021-44228), VMWare Workspace ONE (CVE-2022-22954), TP-Link routers (CVE-2023-1389), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and PAN-OS (CVE-2024-3400).
This presentation will analyse a recent campaign that delivered newer versions of RedTail via exploits of CVE-2024-4577, a critical security vulnerability in PHP servers.
Through a detailed analysis and structured workflow, we will explore RedTail’s inner workings. This deep dive will include an overview of RedTail’s behaviour, persistence mechanisms, interactions with miner pools, encrypted communication methods, monitoring and concealment capabilities, and the development of a Command and Control (C2) environment. By understanding these aspects, we aim to shed light on this sophisticated threat and enhance our defense strategies against it.
Prashant Tilekar – Forescout Technologies
Prashant Tilekar is a senior threat detection engineer at Forescout technology, he has over 9 years of experience in the cyber security domains. He specializes in threat detection, threat hunting, deep malware analysis, reverse engineering, APT campaign tracking and threat intelligence analysis. Additionally, he is committed to spreading his knowledge through writing blogs, white papers and participating in international conferences. Prashant has been a speaker at many top security conferences, including VB2023, AVAR2023, AVAR2021 and ThreatCon.