The RedTail cryptocurrency mining malware has been marked as manipulating a crucial zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS. This vulnerability, followed by CVE-2024-3400, has a CVSS score of 10.0, implying its harshness. The flaw permits unauthenticated attackers to conduct random code with core benefits on the affected firewall systems, posing a considerable hazard to associations depending on these machines for network protection.

The exploitation strategy starts with the assaulters leveraging the CVE-2024-3400 vulnerability to achieve unauthorized access to the firewall. Once access is received, the assailants direct orders to recover and execute a gathering shell script from an exterior territory. This script is liable for downloading the RedTail payload, which is tailored to the compromised system’s CPU architecture. The malware then begins its cryptomining operations, using the system’s resources to abundance cryptocurrency.

Evasion and advanced techniques

The latest iteration of RedTail includes many advanced strategies to avoid detection and investigation. According to Akamai’s security investigators, the malware now contains new anti-analysis elements, such as forking itself numerous times to slow debugging actions and removing any samples of the GNU Debugger (GDB) it encounters. These enhancements make it more difficult for safety experts to investigate and mitigate the hazard.

The malware’s design has also been updated to contain an encrypted mining configuration, which establishes the implanted XMRig miner. Notably, the latest version of RedTail does not include a cryptocurrency wallet, indicating that the danger actors have been redirected to operating personal mining pools or pool representatives. This change permits them more significant power over mining results despite the improved working and economic costs of holding a secret server.

RedTail’s influence is not restricted to Palo Alto Networks firewalls. The malware has also been honored manipulating other known vulnerabilities in different machines and software, including TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954). This range of marks emphasizes the malware’s versatility and the assaulters’ vast understanding of other systems.

RedTail was first documented in January 2024 by protection investigator Patryk Machowiak, who recognized its use in a movement manipulating the Log4Shell vulnerability

(CVE-2021-44228) to deploy the malware on Unix-based systems. Since then, the malware has developed greatly. In March 2024, Barracuda Networks reported cyber attacks that leveraged defects in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to establish Mirai botnet variants and deploy RedTail.

The latest version caught in April 2024 contains important updates, such as the benefit of the RandomX algorithm for greater mining efficiency and improvements to the working system setup to use bigger remembrance blocks (hugepages), enhancing implementation. While Akamai has not attributed the RedTail malware to any distinct group, the culture, and resources needed to manage a secret cryptomining pool indicate the involvement of a nation-state-sponsored group.

The tactics the cyberpunks use mirror those employed by North Korea’s Lazarus Group understood for its for-profit hacking operations and cryptocurrency heists. The exploitation of the CVE-2024-3400 vulnerability by the RedTail cryptominer highlights the crucial requirement for associations to use safety patches and updates promptly.