Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.
“Underpinning this campaign was the use of transfer[.]sh,” Cado Security said in a report shared with The Hacker News. “It’s possible that it’s an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com).”
The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads.
The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh.
It’s worth noting that similar attack mechanisms have been employed by other threat actors like TeamTNT and WatchDog in their cryptojacking operations.
images from Hacker News