Security researchers have uncovered a sophisticated malware campaign targeting Redis, a popular data store system. This campaign, dubbed “Migo,” employs novel tactics to compromise Redis servers, with the ultimate goal of mining cryptocurrency on Linux hosts.
In particular, Cado Security Labs researchers observed that Migo utilizes new Redis system weakening commands to exploit the data store for cryptojacking purposes. Unlike previous attacks targeting Redis, this campaign introduces unique techniques to compromise the system’s security.
According to an advisory published earlier today, Migo is distributed as a Golang ELF binary, featuring compile-time obfuscation and the ability to persist on Linux hosts. Additionally, the malware incorporates a modified version of a popular user mode rootkit to conceal processes and on-disk artifacts.
The initial access stage of the attack involves disabling various configuration options of Redis using specific CLI commands. For instance, the attackers turn off features like protected mode and replica-read-only to facilitate their malicious activities.
After gaining access, the attackers set up a series of commands to execute malicious payloads retrieved from external sources such as Transfer.sh and Pastebin. These payloads are designed to mine cryptocurrency in the background while remaining undetected.
As mentioned above, one notable aspect of Migo is its use of compile-time obfuscation to conceal important symbols and strings, complicating reverse-engineering efforts. Additionally, the malware employs a user-mode rootkit to hide both its processes and on-disk artifacts, making it challenging for security analysts to detect and mitigate the threat.
Read more on rootkit malware: New Syslogk Linux Kernel Rootkit Uses “Magic Packets” to Trigger Remote Backdoor Access
The campaign’s persistence mechanism involves the use of systemd service and timer units to ensure the continuous execution of the malware. Furthermore, Migo attempts to evade detection by modifying the system’s host file to block outbound traffic to domains associated with cloud providers.
“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Cado Security wrote. “In addition, the use of a user-mode rootkit could complicate post-incident forensics of hosts compromised by Migo.”