Tuesday, November 12, 2024
HomeCyber AttackNew Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

Published on

Malware protection

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on the Linux host.

The campaign employed many Redis system-weakening commands to potentially disable data store security features that could hinder their initial attempts at access.

Additionally, the campaign uses these commands to carry out a cryptojacking attack on Redis.

- Advertisement - SIEM as a Service

Redis, “Remote Dictionary Server,” is an open-source, NoSQL key/value store that runs entirely in memory and is mostly utilized as a quick-response database or application cache.

Redis offers unmatched speed, dependability, and performance since it keeps data in memory rather than on a disk or solid-state drive (SSD).

System Weakening Techniques

When a peculiar set of commands directed at a Redis honeypot was noticed, Cado researchers were initially made aware of the Migo campaign.

Document
Analyse Shopisticated Malware with ANY.RUN

Try ANY.RUN Yourself with a 14-day Free Trial

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

Using the Redis command line interface’s (CLI) config set feature, attackers disabled the following configuration options.

  • set protected-mode
  • replica-read-only
  • aof-rewrite-incremental-fsync
  • rdb-save-incremental-fsync

The Redis server has an operational mode called “protected mode” that is intended to mitigate the risk of users unintentionally exposing the server to external networks.

It’s possible that this option was turned off during the initial access phase to enable the attackers to send more commands to the Redis server via the Internet.

Disable protected mode command

The replica-read-only feature instructs Redis replicas (perfect copies of a master Redis instance) to refuse any written commands.

The Migo attackers are probably disabling this feature to make it easier to exploit the Redis server in the future.

Meanwhile, append-only file rewrites may experience increased IO demand if aof-rewrite-incremental-fsync is disabled.

During RDB snapshot saves, performance may suffer if rdb-save-incremental-fsync is disabled.

“After disabling these configuration parameters, the attacker uses the set command to set the values of two Redis keys”.

One key is assigned a string value corresponding to a malicious attacker-controlled SSH key, and the other to a Cron job that retrieves the malicious primary payload from Transfer.sh via Pastebin”, Cado researchers shared with GBhackers on Security.

Abusing the set command to register a malicious Cron job

Compiled from Go code for the x86_64 architecture, the Migo primary payload (/tmp/.migo) is provided as a statically linked and stripped UPX-packed ELF.

Migo retrieves the XMRig installer in tar.gz format directly from Github’s CDN.

The malware then queries several system parameters, such as the number of logged-in users (via the w binary) and user resource restrictions, after the miner has been installed and an XMRig configuration set has been specified.

Cryptojacking malware typically behaves in these ways.

Researchers say that the main payload of Migo is a compiled binary created with Go instead of a string of shell scripts, as was the case in earlier campaigns, showing that the individuals behind Migo are still refining their methods and making the analysis process more difficult.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...