Security researchers have encountered a new cryptojacking campaign that uses a new piece of malware called Migo that targets Redis servers on Linux hosts. The campaign came to light after Cado Security researchers noticed new commands exploiting Redis systems in the wild.
Initial access
According to Cado security, Migo is distributed as a Golang ELF binary, with compile-time obfuscation and the ability to persist on Linux hosts.
The initial access stage of the attack involves disabling various configuration options of Redis using specific CLI commands.
For instance, the attackers turn off features like protected mode and replica-read-only to facilitate their malicious activities.
Dropping payload
After gaining access, they set up a series of commands to retrieve malicious payloads, including Migo, from external sources such as Transfer.sh and Pastebin.
These payloads are designed to mine cryptocurrency in the background while remaining undetected.
Migo abilities
Its primary function is to fetch, install, and launch a modified XMRig miner on the compromised endpoint directly from GitHub’s CDN.
It employs a user-mode rootkit to hide its processes and files, making the detection process difficult. Additionally, it manipulates /etc/hosts to prevent communication with cloud service providers, thus hiding its activity during infection.
Cloud-based applications - a viable attack vector
Redis, together with other popular cloud-native technologies such as Kubernetes, Docker, Jupyter, and Notebook, have become popular among cybercriminals to launch DDoS attacks or perform illegal mining of cryptocurrencies.
Recently, a cryptojacking campaign named Commando Cat was found leveraging vulnerable Docker APIs as an initial access vector to facilitate the delivery of additional payloads and shell scripts.
Conclusion
The appearance of Migo demonstrates that cloud-focused attackers are continuously refining their techniques and tactics to exploit web-facing services. Even the use of the Go language to produce a compiled binary suggests that the attackers are honing their evasion tactics. As their activities continue to be on the radar of security experts, organizations are expected to expedite their threat-hunting and investigation processes by leveraging IOCs associated with the malware.