February 21, 2024 at 07:45AM
New malware targets Redis servers with a user mode rootkit and cryptocurrency miners, bypassing security measures and deploying a Golang-based malware ‘Migo’. The attacks utilize persistence mechanisms, rootkit ‘libprocesshider’, and obfuscation to evade detection. Threat actors demonstrate evolving capabilities with both established and new techniques targeting Redis servers.
Key takeaways from the meeting notes:
– Cado reports a new malware targeting Redis servers, deploying a user mode rootkit and cryptocurrency miners.
– Attackers disable security features of the target Redis servers to weaken them before deploying the malicious payload.
– The primary payload ‘Migo’ is written in Golang and retrieves an XMRig installer from GitHub, querying information about the system after installation.
– The malware relies on a systemd service with a timer for persistence and deploys a modified version of the known user mode rootkit ‘libprocesshider’ to hide on-disk artifacts.
– The malware developers have obfuscated symbols and strings to hinder reverse-engineering and malicious process detection.
– The campaign utilized Redis system weakening commands that have not been reported previously, showcasing threat actors’ evolving capabilities.
Related reports include new worm targeting Redis servers, a botnet ensnaring Redis servers for cryptomining, and a new backdoor targeting Redis servers.