Increase in SSH Connections Linked to RedTail Malware Installation
/ 4 min read
Quick take - David Fitzmaurice’s investigation into a rise in SSH connections on a DShield Honeypot reveals that the RedTail malware, which exploits weak credentials for initial access, is being installed on victim devices, leading to crypto mining activities and highlighting the need for improved detection and prevention strategies in both small and large networks.
Fast Facts
- David Fitzmaurice’s investigation into a DShield Honeypot revealed a surge in SSH connections leading to the installation of RedTail malware, which communicates with a botnet via DNS requests.
- The malware exploits weak SSH credentials, often default or easily guessable, to gain access and upload files associated with XMRig crypto mining software.
- Detection challenges arise in larger networks, as default configurations of systems like Snort may not alert on such attacks, while Zeek logs relevant activities.
- A Snort rule was created to track connections on port 43782, successfully detecting malware communications without false positives since its deployment.
- The article emphasizes the importance of combining network monitoring tools with log analysis to enhance threat detection and avoid reliance solely on threat intelligence.
Investigation of RedTail Malware Surge
Overview of the SSH Connection Increase
David Fitzmaurice, an intern in the SANS.edu Bachelor’s Degree in Applied Cybersecurity program, has been investigating a recent increase in SSH connections observed over the past six months on a DShield Honeypot. This surge has led to the installation of RedTail malware on victim devices. The malware is installed through SSH connections and, once activated, begins communicating with a botnet by sending DNS requests to command and control IPs.
Methods of Infiltration and Impact
The exploitation of SSH password guessing for initial access is a primary method through which the malware infiltrates networks. The article highlights that small networks can effectively prevent such attacks if SSH servers are not exposed to the internet. However, larger networks face challenges, as devices may often utilize default or weak credentials due to varying skill levels among administrators. Commonly utilized username and password combinations, such as “abc123!@#”, are frequently targeted by attackers.
Upon successful authentication, the attacking server uploads several files to the victim device. These files include setup.sh
, redtail.x86_64
, redtail.i686
, redtail.arm8
, redtail.arm7
, and clean.sh
. The RedTail files are associated with XMRig crypto mining software. The clean.sh
script prepares the system for malware installation, while setup.sh
selects and installs the appropriate executable file. Once the malware is operational, it initiates two Apache processes to facilitate network communication.
Detection and Prevention Strategies
The malware’s communications are particularly concerning, as it sends DNS requests to servers associated with moneroed[.]net
. It also establishes connections on specific ports, namely 43782 and 2137. Notably, the default configuration for Snort, a network intrusion detection system, did not generate alerts for this attack. Zeek’s default setup logged SSH, DNS, and connection activities, but in busy networks, such attacks may remain undetected.
Analysis of the TCP stream for the connection on port 2137 revealed JSON entries that resemble the Stratum mining protocol, indicating potential crypto mining activity. The zeek-cryptomining
package was utilized to detect common communications associated with crypto mining, including those from XMRig. Once this package was loaded, logs of malware communications began to surface. The connection on port 43782 involved the transfer of approximately 70,000 bytes of data to the victim device, starting with specific hex bytes (0x0c180000003c) in each transmission.
To enhance detection capabilities, a Snort rule was created to track connections on port 43782 using the observed hex bytes. The rule was verified against documentation for accuracy. Since the deployment of these Snort rules from September 12, 2024, to November 15, 2024, there have been no reported false positives. During this timeframe, the RedTail network utilized three different initial attack IPs, and the sha256 hash for the X86_64 variant changed five times.
The article warns against relying solely on threat intelligence for identifying malicious file hashes or IPs, suggesting that such an approach may lead to missed changes. It advocates for the use of a network tap or port mirroring into an intrusion detection system like Snort or Zeek, combined with log analysis tools such as Grafana to improve threat hunting capabilities. Furthermore, characterizing normal network communications can assist analysts in promptly detecting unusual activities indicative of potential security threats.
Original Source: Read the Full Article Here