Linux/Redis.TSU!tr
Analysis
Linux/Redis.TSU!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/Redis.TSU!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the Redis RCE outbreak which involves the CVE-2022-0543 vulnerability.
- Linux/Redis.TSU!tr is an IRC bot. It will attempt to gain access to a victim's system and wait for commands from an IRC server. The malware may perform malicious actions such as a distributed denial-of-service(DDoS) attack, downloading of additional malicious payloads, receiving and executing shell commands and performing SSH brute force attacks.
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2022-0543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0543
|
- Md5: 0abc01de8962867957bca89f6bd4c10e
Sha256: 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f - Md5: 4aa80ec9c4af1849fb3f0c82cf82c99b
Sha256: 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197 - Md5: 582a434ba0f2e04bd8b5495c50320068
Sha256: 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3 - Md5: 60f50372901a3ab6be093cb9922fd75c
Sha256: 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2 - Md5: 97717ad2ff60ac257a5f66634fe06544
Sha256: 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
Outbreak Alert
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the "Country" field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet.
View the full Outbreak Alert Report
FortiGuard Labs observed a huge spike in attack attempts relating to a command injection vulnerability in SolarView Compact (Solar power generation monitoring system) with upto more than 18,000+ unique IPS detections in the month of July 2023. The exploit works due to the vulnerability in SolarView Compact confi_mail.php component, which fails to adequately sanitize the user-supplied input data, leading to command injection.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |