Security experts have uncovered a new malware campaign, RedisRaider, that targets misconfigured Redis servers to secretly mine cryptocurrency. The malware, written in Go, spreads aggressively by exploiting weak Redis configurations, ultimately deploying the XMRig Monero miner on compromised Linux systems.
Datadog Security Labs discovered the campaign and described it as a highly evasive operation using advanced obfuscation techniques to avoid detection.
How it works: Scanning, exploiting, and mining
The attack starts with a custom-built scanner that randomly searches the internet for Redis servers running on the default port 6379. Once it finds one, it checks to see if the host is Linux-based.
If confirmed, the malware abuses Redis commands — specifically SET, CONFIG, and BGSAVE — to drop a malicious cron job that downloads and executes the RedisRaider malware.
The attackers behind RedisRaider didn’t just build another miner. They made it hard to detect and analyze. The payload is written in Go and heavily obfuscated using a tool called Garble. This hides key functions inside the code, making reverse engineering more difficult.
Additionally, RedisRaider uses anti-forensics techniques like:
- Short key time-to-live (TTL) to erase traces.
- Temporary files are written to the cron directories to blend with system processes.
- Deleting keys and logs after execution to cover its tracks.
Multi-pronged attack: Web-based miner found
Datadog’s investigation didn’t stop at the server-level attack. Researchers also found that the same infrastructure was used for a web-based Monero miner. This means the attackers generate income from hijacked Linux servers and unsuspecting website visitors.
“In addition to server-side cryptojacking, RedisRaider’s infrastructure also hosted a web-based Monero miner, enabling a multi-pronged revenue generation strategy,” the researchers wrote in their report.
One server linked to the campaign, hosted on IP 58.229.206[.]107, was found to be running multiple services, including MongoDB, MySQL, Redis, and several HTTP servers. It even served a JavaScript file from a suspicious domain, further expanding the campaign’s reach.
How to protect your systems
Experts recommend the following steps to defend against RedisRaider:
- Run Redis in protected mode, which disables remote CONFIG commands.
- Set strong authentication and restrict access to Redis ports.
- Continuously monitor your systems for unusual activity, like unauthorized cron jobs or unknown binaries in /tmp.
Datadog recommends using Workload Protection security tools that detect real-time behavior, such as cron job injections and execution of known malware hashes.
As Datadog’s researchers concluded in their report, “RedisRaider represents a new benchmark in the evolution of Linux-targeted cryptojacking campaigns, combining aggressive worm-like propagation, deep system knowledge, and layered defense evasion techniques.”
Organizations are encouraged to check their Redis servers, review their network exposure, and patch any misconfigurations.
