Vulnerable Redis servers targeted by new Redigo malware

BleepingComputer reports that Redis servers that remain unpatched to CVE-2022-0543 are being compromised with the novel Go-based Redigo malware, which is not yet detected on VirusTotal antivirus engines. Attacks with Redigo commence with port 6379 scans to discover exposed Redis instances, which will then be followed by the execution of several commands involving verification of the instance's vulnerability, creation of an attacking server copy, connection configurations, replication stream initiation, and module downloading from the downloaded dynamic library, according to an Aquasec report. Host hardware information is being collected by the backdoor using its command execution capabilities prior to Redigo download and execution. While Redigo's processes following initial environment foothold remain uncertain due to attack duration limits in Aquasec honeypots, Aquasec researchers suspect that vulnerable servers may be added by the malware as a bot for distributed denial-of-service attacks and cryptocurrency mining attacks. Attackers could also leverage the malware to facilitate Redis data theft, according to researchers.