Cryptocurrency Fraud , Endpoint Security , Fraud Management & Cybercrime

RedTail Cryptomining Malware Exploits PAN-OS Vulnerability

Threat Actors Mirror the Tactics of North Korea's Lazarus Group
RedTail Cryptomining Malware Exploits PAN-OS Vulnerability
It's cheaper to cryptomine on other people's computers than to build your own mining rig, pictured. (Image: Shutterstock)

Cryptomining malware that might be North Korean in origin is targeting edge devices, including a zero-day in Palo Alto Networks' custom operating system that the company hurriedly patched in April.

See Also: Digital Documentation: Authenticity and Integrity

Researchers from Akamai say the threat actor behind cryptomining software dubbed RedTail because of its redtail hidden file name evinces a deep understanding of cryptomining.

It appears that threat actors operate their own mining pools or pool proxies rather than using public ones. "They are opting for greater control over mining outcomes despite the increased operational and financial costs associated with maintaining a private server," Akamai researchers said. The hackers also "use the newer RandomX algorithm" for greater efficiency and alter operating system configuration to use larger memory blocks - hugepages - to boost performance.

Hackers' use of private mining pools mirrors tactics used by North Korea's Lazarus Group, although Akamai doesn't attribute the hackers to any group. Cash-starved North Korea is notorious for for-profit hacking operations that include a heavy dosage of cryptocurrency theft and other creative ways to evade sanctions to raise money (see: US FBI Busts North Korean IT Worker Employment Scams).

After being initially spotted earlier this year, the RedTail malware has evolved to include anti-research techniques, making it more challenging for security researchers to analyze and mitigate the threat.

Akamai says its operators were quick to exploit the PAN-OS vulnerability tracked as CVE-2024-3400, which allows attackers to create an arbitrary file enabling command execution with root user privileges (see: Likely State Hackers Exploiting Palo Alto Firewall Zero-Day).

Additional notable targets include TP-Link routers, the China-origin content management system ThinkPHP and Ivanti Connect Secure. Security researchers warn that advanced hackers, including state-sponsored threat actors, are focusing on edge devices due to their patchy endpoint detection and proprietary software that hinders forensic analysis (see: State Hackers' New Frontier: Network Edge Devices).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.