Will Redis Remain on Threat Actors’ Radar? | WhoisXML API

Threat Reports

Will Redis Remain on Threat Actors’ Radar?

The Mushtik Gang was the first threat group that took advantage of the Redis Lua Sandbox Escape and Remote Code Execution Vulnerability, also known as “CVE-2022-0543,” in March 2022.1 Since then, many attackers2 have exploited the bug to get to their intended targets.

P2PInfect, a self-replicating peer-to-peer (P2P) worm, is just the latest tool a threat group used. Seven indicators of compromise (IoCs) have been made public in July.3

To uncover yet-unidentified Redis attack-connected artifacts, WhoisXML API expanded the list of published IoCs aided by exhaustive DNS intelligence.

Our DNS deep dive uncovered:

  • Six domains containing the string worldive akin to one of the domains identified as P2PInfect IoCs
  • 10,000+ domains containing the string redis, 20 of which have been classified as malicious by a bulk malware check
  • 10,000+ subdomains containing the string redis, six of which turned out to be malicious according to a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://cymulate.com/threats/muhstik-gang-targets-redis-servers-2/
  • [2] https://securityaffairs.com/139164/malware/redigo-malware-targets-redis-servers.html
  • [3] https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/#post-129197-_3s6epx4aqq4d
Try our WhoisXML API for free
Get started