Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks hold roughly 90% of all remote code execution attacks in web applications.

Having said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.

This week we saw a new generation of cryptojacking attacks aimed at both database servers and application servers. We dubbed one of these attacks RedisWannaMine.

RedisWannaMine is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets.

RedisWannaMine is more complex in terms of evasion techniques and capabilities.

In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!

Cryptojacking 2.0/ RedisWannaMine

Imperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit CVE-2017-9805:

When we probed the remote server we found a list of suspicious files:

The list includes known malicious files, like minerd, but also some unknown suspicious files like

When we submitted hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:

This shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:

  • It downloads a crypto miner malware from an external location
  • It gains persistency in the machine through new entries in crontab
  • It gains remote access to the machine through a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system’s iptables

However, this downloader is unlike any downloader we’ve seen before. In the following sections, we will list the new capabilities it offers.


The script installs a lot of packages using Linux standard package managers like apt and yum. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim’s machine. As a hint to things to follow we saw it installs packages like git, python, redis-tools, wget, gcc and make.

Github integration

The script downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it.

The project page describes it as “TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.”

Also, it offers simple usage examples:

Redis scan and infection

The script then launches another process named “”. The new process uses the masscan tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, internal and external and scanning port 6379 which is the default listening port of Redis.


If one of the IPs in the list is publicly available, the script launches the “” process to infect it with the same crypto miner malware (“”). The infection is done using redis-cli command line tool, that the downloader previously installed, that runs the “runcmd” payload.

runcmd” is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.

Notice that the attacker uses line feeds, “\n”, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:

SMB scan and infection

After the script completed the Redis scan, it launches another scan process named “”. This time the new process uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, internal and external, and scanning port 445 which is the default listening port of SMB.


In case you’ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous “Eternal Blue” exploit. This exploit was later on adapted to carry out “WannaCry”, one the biggest cyberattacks in the world.

When the script finds a vulnerable server, it launches the “” process to infect it.” runs a Python implementation of the aforementioned “Eternal Blue” exploit and drops the file “x64.bin” in the vulnerable machine.

We used the strings command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named “poc.vbs” and runs it.

poc.vbs” downloads an executable from an external location, saves it in the vulnerable server as “admissioninit.exe” and runs it. Needless to say, “admissioninit.exe” is a well-known crypto miner malware.

What should I do?

  • Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.
  • Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule.
  • Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use this awesome tool to do check it






260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79  clay

2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2  minerd

eb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d  admission.exe

f8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79  xmr-32.exe

e1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db  xmr-64.exe









1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971  runcmd

e3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c  x64.bin

Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: