Linux/Redis.TSU!tr

description-logoAnalysis

Linux/Redis.TSU!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/Redis.TSU!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is associated with the Redis RCE outbreak which involves the CVE-2022-0543 vulnerability.

  • Linux/Redis.TSU!tr is an IRC bot. It will attempt to gain access to a victim's system and wait for commands from an IRC server. The malware may perform malicious actions such as a distributed denial-of-service(DDoS) attack, downloading of additional malicious payloads, receiving and executing shell commands and performing SSH brute force attacks.

  • This malware has been associated with the following third party article/advisory.
  • https://nvd.nist.gov/vuln/detail/CVE-2022-0543
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0543
    

  • Below are some of the malware's capabilities:

    • Figure 1: Malware capabilities.


  • Following are some of the exact IOCs/file hashes associated with this detection:
    • Md5: 0abc01de8962867957bca89f6bd4c10e
      Sha256: 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
    • Md5: 4aa80ec9c4af1849fb3f0c82cf82c99b
      Sha256: 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
    • Md5: 582a434ba0f2e04bd8b5495c50320068
      Sha256: 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
    • Md5: 60f50372901a3ab6be093cb9922fd75c
      Sha256: 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2
    • Md5: 97717ad2ff60ac257a5f66634fe06544
      Sha256: 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b

description-logoOutbreak Alert

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the "Country" field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet.

View the full Outbreak Alert Report

FortiGuard Labs observed a huge spike in attack attempts relating to a command injection vulnerability in SolarView Compact (Solar power generation monitoring system) with upto more than 18,000+ unique IPS detections in the month of July 2023. The exploit works due to the vulnerability in SolarView Compact confi_mail.php component, which fails to adequately sanitize the user-supplied input data, leading to command injection.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-12-26 92.00073
2023-12-26 92.00063
2023-09-29 91.07416
2023-07-25 91.05424
2023-07-20 91.05275
2023-05-23 91.03531
2023-03-21 91.01630
2023-03-20 91.01603
2023-02-03 91.00244