Skip to content Skip to footer

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

Recently, a novel campaign has been discovered that targets Redis servers for initial access, with the ultimate goal of mining cryptocurrency on compromised hosts. The campaign uses various system-weakening techniques against the data store to facilitate the cryptojacking attack. The , called Migo, is a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on machines. The cloud security company Cado identified the campaign after it detected some unusual commands targeting its Redis honeypots engineered to lower security defenses.

According to Cado security researcher Matt Muir, the campaign uses several novel system-weakening techniques against the data store. The attackers disable several configuration options in Redis, including protected-mode, replica-read-only, aof-rewrite-incremental-fsync, and rdb-save-incremental-fsync. By disabling these options, the attackers can send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

After disabling these options, the threat actors set up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh. The shell to fetch Migo using Transfer.sh is embedded within a Pastebin file obtained using a curl or wget command.

In addition, Migo incorporates mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on , establishes persistence, terminates competing miners, and launches the miner. The malware also disables Security-Enhanced (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers.

Notably, Migo deploys a modified version of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts. This variant includes the ability to hide on-disk artifacts and the malicious processes themselves. The malware appears to iterate through files and directories under /etc recursively. However, it reads files in these locations and does nothing with the contents. This could be a weak attempt to confuse sandbox and dynamic analysis solutions by performing many benign actions, resulting in a non-malicious classification, or it could be looking for an artifact specific to a target environment.

Overall, Migo demonstrates that cloud-focused attackers continue refining their techniques and improving their ability to -facing services.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Remember, hacking is more than just a crime. It's a survival trait.Razor

Deitasoft © 2024. All Rights Reserved.