Security researchers discovered a new campaign that targets Redis servers on Linux hosts using a piece of malware called ‘Migo’ to mine for cryptocurrency.
Redis (Remote Dictionary Server) is an in-memory data structure store used as a database, cache, and message broker known for its high performance, serving thousands of requests per second for real-time applications in industries like gaming, technology, financial services, and healthcare.
Hackers are always looking for exposed and potentially vulnerable Redis servers to hijack resources, steal data, and other malicious purposes.
What is interesting about the new malware strain is the use of system-weakening commands that turn off Redis security features, allowing cryptojacking activities to continue for extended periods.
The Migo campaign was detected by analysts at cloud forensics provider Cado Security, who observed on their honeypots that the attackers used CLI commands to turn off protective configurations and exploit the server.
Turning off Redis shields
Upon compromising exposed Redis servers, the attackers disable critical security features to allow receiving subsequent commands and making replicas writable.
Cado says they noticed the attackers disabling the following configuration options through the Redis CLI.
- set protected-mode: disabling this allows external access to the Redis server, making it easier for an attacker to execute malicious commands remotely.
- replica-read-only: turning this off enables attackers to write directly to replicas and spread malicious payloads or data modification across a distributed Redis setup.
- aof-rewrite-incremental-fsync: disabling it can lead to heavier IO load during append-only file (AOF) rewrites, potentially aiding attackers in remaining undetected by distracting detection tools with unusual IO patterns.
- rdb-save-incremental-fsync: turning it off can cause performance degradation during RDB snapshot saves, potentially allowing attackers to cause a denial of service (DoS) or manipulate persistence behavior to their advantage.
Next, the attackers set up a cron job that downloads a script from Pastebin, which retrieves Migo’s primary payload (/tmp/.migo) from Transfer.sh to be executed as a background task.
This is a UPX-packed ELD binary compiled in Go, featuring compile-time obfuscation to hinder analysis.
Cado says Migo’s primary function is to fetch, install, and launch a modified XMRig (Monero) miner on the compromised endpoint directly from GitHub’s CDN.
The malware establishes persistence for the miner by creating a systemd service and the associated timer, ensuring that it runs continuously, mining cryptocurrency on the account of the attacker.
Cado reports that Migo employs a user-mode rootkit to hide its processes and files, complicating detection and removal.
The malware modifies ‘/etc/ld.so.preload’ to intercept and alter the behavior of system tools that list processes and files, effectively concealing its presence.
The attack concludes with Migo setting up firewall rules to block outbound traffic to certain IPs and executing commands to disable SELinux, search for and potentially disable cloud provider monitoring agents, and remove competing miners or payloads.
It also manipulates /etc/hosts to prevent communication with cloud service providers, further hiding its activity.
Migo’s attack chain shows that the threat actor behind it has a strong understanding of the Redis environment and operations.
Although the cryptojacking threat isn’t too severe because it does not lead to disruptions or data corruption, the threat actor could use the access to deliver more danagerous payloads.