Do Son 
Amid a surge in attacks targeting exposed internet-facing services, cybersecurity experts have identified a new malicious campaign aimed at publicly accessible Redis servers. Dubbed RedisRaider, the operation has been meticulously analyzed by the team at Datadog Security Labs.
The attackers specifically target vulnerable Redis instances exposed to the internet. Using a custom-built scanner, they methodically probe random segments of the IPv4 address space in search of accessible Redis servers. Once a target is found, the INFO command is issued to determine if the instance is running on a Linux system. If confirmed, a malicious cron job is implanted.
The exploitation process employs legitimate Redis configuration commands, such as SET and CONFIG, to alter the working directory to /etc/cron.d. A file masquerading as a database entry—named “apache”—is then written to this directory. It contains an obfuscated Bash script that fetches and executes the primary malicious payload: a Go-based binary known as RedisRaider.
Once deployed, the binary downloads a customized version of the popular XMRig miner, which is used to mine Monero cryptocurrency. RedisRaider is also equipped with lateral movement capabilities, allowing it to propagate across the network and infect other vulnerable Redis instances—enabling horizontal scalability and maximizing illicit profits.
The campaign’s operators have taken deliberate steps to evade detection. These include setting minimal Time-To-Live (TTL) values for keys and deploying unconventional database configurations, making both the malicious activity and subsequent forensic analysis significantly more difficult. In addition to deploying the miner, the RedisRaider infrastructure also hosts a web interface for Monero mining, reflecting a hybrid monetization strategy.
Investigators found that the attackers acted systematically, focusing their efforts on credential stuffing attacks targeting administrative accounts and shared mailboxes. Most of the suspicious activity originated from IP addresses in Eastern Europe and the Asia-Pacific region. In total, over 50,000 brute-force attempts were recorded against standard user accounts and nearly 10,000 against administrative credentials—with the attack rate exceeding 1,000 attempts per hour.
A similar technique was observed in a large-scale email compromise campaign in 2021, in which cybercriminals bypassed security controls using IMAP/POP3 and the BAV2ROPC protocol to exfiltrate sensitive data. To defend against such threats, experts strongly advise disabling legacy protocols—particularly BAV2ROPC and SMTP AUTH in Exchange Online—and enforcing strict Conditional Access policies.
Donate