Security researchers have revealed an advanced malware campaign on Redis, a popular data shop system. This campaign, called “Migo”, uses new tactics to compromise Redis servers, with the ultimate goal of mining cryptocurrency on Linux hosts.
In particular, researchers from CADO Security Labs noted that MIGO uses new Redis system commands to operate the data storage for cryptojacking purposes. In contrast to earlier attacks on Redis, this campaign introduces unique techniques to jeopardize the security of the system.
According to an advice published earlier today, Migo is distributed as a Golang eleven binary, with compile-time obfuscation and the possibility to continue to exist on Linux hosts. In addition, the malware contains a changed version of a popular user mode rootkit to hide processes and artifacts on disk.
The first access phase of the attack includes the disable of different configuration options from Redis using specific CLI assignments. The attackers, for example, switch off functions such as protected mode and only replica reading to facilitate their malignant activities.
After gaining access, the attackers have set a series of assignments to carry out malignant payloads that have been collected from external sources such as Transfer.sh and Pastebin. These payloads are designed to reclaim cryptocurrency in the background while they go unnoticed.
As mentioned above, a remarkable aspect of MIGO is the use of compilation-time floor to hide important symbols and strings, allowing the efforts for reverse engineering to be complicated. In addition, the malware uses a user mode rootkit to hide both its processes and on-disk artifacts, making it a challenge for security analysts to detect and reduce the threat.
Read more about Rootkit Malware: New Syslogk Linux Kernel Rootkit uses “Magic Packets” to activate external back -trips
The persistence mechanism of the campaign includes the use of Systemd -Service and Timer units to guarantee the continuous implementation of the malware. In addition, Migo tries to avoid the detection by changing the host file of the system to block outgoing traffic to domains related to cloud providers.
“Migo shows that cloud-oriented attackers continue to refine their techniques and improve their ability to improve web facing services,” wrote Cado Security. “Moreover, the use of a rootkit of user mode post-incident forensic research of hosts can compromise by Migo.”