New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

Migo Malware Campaign: User-Mode Rootkit Hides Cryptojacking on Linux Systems.

New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

A sophisticated Linux malware campaign has been discovered targeting Redis, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

Cado researchers disclosed that the malware, dubbed Migo, exploits Redis for cryptojacking. The attackers execute commands on their target’s Redis servers to disable configuration options and make them vulnerable before deploying the payload.

The primary payload, Migo, is a Golang ELF binary that retrieves an XMRig installer from GitHub. Redis system weakening commands are used to disable configuration options, such as protected mode and replica-read-only, using CLI commands to execute malicious payloads from external sources like Pastebin to mine cryptocurrency in the background.

For your information, Protected mode is a Redis server operating mode introduced in version 3.2.0 to mitigate potential network exposure. It only accepts connections from the loopback interface and is likely disabled at initial access to allow attackers to send additional commands.

Conversely, the replica-read-only feature in Redis prevents accidental writes to replicas that may result in out-of-sync. Cado researchers report exploitation of this feature for malicious payload delivery, with Migo attackers likely disabling it for future Redis server exploitation.

Migo uses compile-time obfuscation and a user-mode rootkit ‘libprocesshider,’ to hide processes and artefacts, making it difficult for security analysts to detect and mitigate the threat. Once the miner is installed, Migo sets XMRig’s configuration to query system information, including logged-in users and resource limits.

“It also sets the number of Huge Pages available on the system to 128, using the vm.nr_hugepages parameter. These actions are fairly typical for cryptojacking malware,” Matt Muir, Cado Security’s security researcher noted in a blog post.

It executes shell commands to copy the binary, disable SELinux, identify uninstallation scripts, execute the miner, kill competing processes, register persistence, and prevent outbound traffic to specific IP addresses and domains.

Moreover, Migo relies on systemd service and timer for persistence and the developers have obfuscated symbols and strings in the pclntab structure to complicate the malware analysis process. The involvement of a user-mode rootkit also complicates post-incident forensics of compromised hosts, and libprocesshider hides on-disk artefacts.

Migo’s emergence shows that cloud-focused attackers are continually refining their techniques and focused on exploiting web-facing services. They used Redis system weakening commands to disable security features, a move not previously reported in campaigns exploiting Redis for initial access, researchers concluded.

  1. Hackers behind Mirai botnet & DYN DDoS attacks plead guilty
  2. Hackers behind Mirai botnet to avoid jail for working with the FBI
  3. Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai
  4. Reaper malware outshines Mirai; hits millions of IoT devices worldwide
  5. Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining
Related Posts