New Redigo Malware Targets Vulnerable Redis Servers

Description

FortiGuard Labs is aware of a report that a new malware named "Redigo" was observed to have been installed on Redis honeypot servers vulnerable to CVE-2022-0543. The compromised Redis servers are likely used to perform Distributed Denial of Service (DDoS) attacks and cryptomining.

Why is this Significant?

This is significant because Redigo was installed on vulnerable Redis servers. Redis is an in-memory key-value store that can act as a high-performance database and cache server. Compromised servers are in control by remote attackers and are likely used for malicious activities.

Created by Google, the Go programming language is platform independent and can run on various operating systems. Once considered novel, Golang malware is on the rise.

FortiGuard Labs has recently published Zerobot, a new IoT botnet written in Golang.

What is Redigo Malware?

Redigo is a new Golang-based malware that was found to be installed on Redis servers vulnerable to CVE-2022-0543. Compromised Redis servers will be connected to malicious Command-and-Control (C2) servers that are likely used for DDoS attacks and cryptomining.

What is CVE-2022-0543?

CVE-2022-0543 is a vulnerability in Redis Debian packages disclosed in February 2022. Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code on vulnerable Redis servers.

CVE-2022-0543 has a CVSS score of 10.0.

Is a Patch Available for CVE-2022-0543?

Yes, a patch is available.

What is the Status of Coverage?

FortiGuard Labs provides the following AV signatures for Redigo:

• Linux/Redis.A!tr
• PossibleThreat

The reported C2 server is blocked by Webfiltering.

FortiGuard Labs provides the following IPS signature for CVE-2022-0543:

• Redis.Lua.Sandbox.Remote.Code.Execution

Appendix

Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware (Aqua Nautilus)

CVE-2022-0543 (MITRE)