A new Linux-based cryptojacking campaign dubbed RedisRaider is exploiting publicly accessible Redis servers, according to researchers at Datadog Security Labs.
The campaign uses legitimate Redis configuration commands to inject malicious cron jobs on vulnerable systems.
RedisRaider scans randomized portions of the IPv4 space, the researchers said, targeting Linux-based Redis instances to deploy its attack.
The operation leverages a Go-based payload that installs the widely-used Monero mining software XMRig on compromised machines. The malware uses Redis's SET and CONFIG commands to place a Base64-encoded shell script within the system's cron scheduler, enabling persistent execution and further payload delivery from a remote server.
The malware propagates itself by scanning and compromising additional Redis servers, creating a self-expanding botnet designed to maximize cryptomining output.
The attackers have also deployed a web-based Monero miner, reflecting a dual-revenue strategy. Anti-forensic techniques, such as setting short TTLs on malicious keys and altering database configurations, help the campaign evade detection and complicate forensic analysis.
