With the ultimate goal of mining cryptocurrency on compromised Linux hosts, a new malware campaign has been seen targeting Redis servers for initial access.
In a technical report, Cado security researcher Matt Muir stated that” this particular campaign involves the use of several novel system weakening techniques against the data store itself.”
A malware code called Migo, a Golang ELF binary with compile-time obfuscation and the ability to persist on Linux machines, facilitates the cryptojacking attack.
The campaign, according to the cloud security company, was discovered after it discovered a “unusual series of commands” directed at its Redis honeypots, which disable the following configuration options in order to weaken security defenses.
These options may be disabled in order to enable future exploitation without drawing much attention to themselves by sending more commands to the Redis server from outside networks.
Threat actors then set up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from the Transfer file transfer service. sh, a method that was first noticed in the beginning of 2023.
the shell script for Transfer’s Migo fetch. A Pastebin file that contains sh is obtained by using the curl or wget commands.
Persistence |
Along with having mechanisms to prevent reverse engineering, the Go-based ELF binary also downloads an XMRig installer that is hosted on Git Hub. Additionally, it is in charge of carrying out a series of actions to launch the miner, put an end to rival miners, and establish persistence.
Additionally, Migo disables Security-Enhanced Linux ( SELinux ) and looks for uninstallation scripts for monitoring agents included in compute instances from cloud service providers like Qcloud and Alibaba Cloud. A modified version ( libsystemd ) is also deployed. libprocesshider, a well-known user-mode rootkit, to conceal operations and on-disk artifacts.
It’s important to note that these actions are similar to those used by well-known cryptojacking organizations like TeamTNT, WatchDog, Rocke, and SkidMap malware threat actors.
According to Muir,” It’s interesting how Migo seems to iterate recursively through files and directories under/etc.” ” The malware wo n’t do anything with the contents of these files; it will just read them.”
According to one theory, this could be a ( weak ) attempt to categorize non-malicious sandbox and dynamic analysis solutions by carrying out numerous benign actions.
Although Cado claimed there was no evidence to back up this theory, another theory is that the malware is searching for a piece of equipment unique to the target environment.
According to Muir,” Migo shows that cloud-focused attackers are constantly improving their methods and their capacity to exploit web-facing services.”
Although cryptojacking campaigns frequently employ libprocesshider, this particular variant has the capability to conceal on-disk artifacts in addition to malicious processes themselves.