← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
WHITE AlienVault 2020-04-22 Modified: 2020-04-22
53
IOCs
HIGH VOLUME
Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and have been discovered to infect other vulnerable instances via their “wormlike” spreading capability.
rediskinsingminerelasticsearchxmriggolanglinuxcrypto mining
Indicators of Compromise (53)
All FileHash-SHA256 FileHash-SHA1 FileHash-MD5 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1fd17076800d993609a8110084f9652d06fe50cd3a279ab709c65a044076fe6d 2020-04-22
FileHash-SHA256 b6fc454e667081c2add1ffd5a54bafb428a82d8d8a3e34c61fc59075118f4afd 2020-04-22
FileHash-SHA256 2c2438019c10352cc6678474072ce57a4191fd6ce54391d4975012f587bec1a0 2020-04-22
FileHash-SHA256 3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38 2020-04-22
FileHash-SHA256 bceee7d9ace363ef2bfb1494a9784a6377fe14c4c5fefa0c180fcec33a5d1716 2020-04-22
FileHash-SHA256 e2b982f9540304e31ca8d1cdafb253da7d216d1cc939a281a1a95baaa4be9b2d 2020-04-22
FileHash-SHA1 f0ad94a6cd2572100e6d63a121ecf34e6c1cef30 2020-04-22
FileHash-SHA1 b2383be1cf4f8e34b6818324dabde963974c0710 2020-04-22
FileHash-SHA1 493956a8ffc1e044ff9826762d3009e869496122 2020-04-22
FileHash-SHA1 1f2a72b31dd6fb0783dee8bc62f2e6b654654603 2020-04-22
FileHash-SHA1 5121f53fd5eda01cde200476bd742729768890d4 2020-04-22
FileHash-MD5 2b816fd2ff992e07f3f9fb3f27787c8a 2020-04-22
FileHash-MD5 8a80faa8369404d362104eff0720bf62 2020-04-22
FileHash-MD5 291dd7d9a2062d07976b14f7d9683d35 2020-04-22
FileHash-MD5 e3d0432180db8c901874b518b28e0ec2 2020-04-22
URL http://91.215.169.111/h 2020-04-22
URL http://91.215.169.111/get 2020-04-22
URL http://91.215.169.111/mg 2020-04-22
URL http://45.10.88.102/mg 2020-04-22
URL http://195.123.220.193/run6 2020-04-22
URL https://195.123.220.193/run6 2020-04-22
URL https://195.123.220.193/run6/ 2020-04-22
domain init.ps 2020-04-22
domain rsa.pub 2020-04-22
FileHash-SHA256 559a8ff34cf807e508d32e3a28864c687263587fe4ffdcefe3f462a7072dcc74 2020-04-22
FileHash-SHA256 d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05 2020-04-22
FileHash-SHA256 e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7 2020-04-22
FileHash-SHA256 19967f6467f05f1ac286eb8b8bf7e251075b7d288fbe9b719b8de0b6330c8787 2020-04-22
FileHash-SHA256 37ecccdfc185615d4452b5c77b7313222b14776c3032c156846258c8f63185fe 2020-04-22
FileHash-SHA256 6faa026af253c784ef97ffec3a9953055d394061a9a1fbfdcc5b28445b73ffdc 2020-04-22
FileHash-SHA256 ea55a206f7047f54a9e97cc3234848dfd3e49d0b5f9569b08545f1ad0e733286 2020-04-22
FileHash-SHA256 24fdf5b1e1e8086031931f2678d874487316dc1e266581b328d6e34a1fd7748c 2020-04-22
FileHash-SHA256 d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b 2020-04-22
URL http://rs.sh 2020-04-22
URL http://Is.sh 2020-04-22
URL http://Rs.sh 2020-04-22
URL http://is.sh 2020-04-22
URL http://init.sh 2020-04-22
URL http://updata.sh 2020-04-22
URL http://Init.sh 2020-04-22
FileHash-MD5 0784af35182af63691d420a2af9d2b09 MD5 of 37ecccdfc185615d4452b5c77b7313222b14776c3032c156846258c8f63185fe 2020-04-22
FileHash-MD5 0813a0630f866571310be9ba3e42a9c5 MD5 of 6faa026af253c784ef97ffec3a9953055d394061a9a1fbfdcc5b28445b73ffdc 2020-04-22
FileHash-MD5 80e06b1879461ac9fc7f4b3846641817 MD5 of d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05 2020-04-22
FileHash-MD5 149c79bf71a54ec41f6793819682f790 MD5 of e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7 2020-04-22
FileHash-MD5 97f3dab8aa665aac5200485fc23b9248 MD5 of 559a8ff34cf807e508d32e3a28864c687263587fe4ffdcefe3f462a7072dcc74 2020-04-22
FileHash-MD5 a71ad3167f9402d8c5388910862b16ae MD5 of d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b 2020-04-22
FileHash-MD5 1692020039cb723c351aa1a6a9b03fdc MD5 of 24fdf5b1e1e8086031931f2678d874487316dc1e266581b328d6e34a1fd7748c 2020-04-22
FileHash-SHA1 a05fcae13a7a0f06ee9b967cfb2471ced2f9c5f7 SHA1 of 37ecccdfc185615d4452b5c77b7313222b14776c3032c156846258c8f63185fe 2020-04-22
FileHash-SHA1 c54fdc190aee68f9b06bf1954d4fb1df5969fa21 SHA1 of d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05 2020-04-22
FileHash-SHA1 19c767ec419c0b6c50252d220afa263af5e64c91 SHA1 of 6faa026af253c784ef97ffec3a9953055d394061a9a1fbfdcc5b28445b73ffdc 2020-04-22
FileHash-SHA1 621c222680c292bf14bc3add8adc7e7d22562fca SHA1 of e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7 2020-04-22
FileHash-SHA1 9c002fa3d2b056708554a340b811a478bdb7db3b SHA1 of 24fdf5b1e1e8086031931f2678d874487316dc1e266581b328d6e34a1fd7748c 2020-04-22
FileHash-SHA1 42dc7206e1b10684b5a3a76251788c65460ad3a6 SHA1 of d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b 2020-04-22
References (1)
↗ https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/