Migo Malware Targets Redis Servers and Disables Protection Features

Written by Mitchell Langley

February 22, 2024

Migo Malware Targets Redis Servers and Disables Protection Features

Security researchers have recently uncovered a new campaign aimed at Linux hosts, specifically targeting Redis servers. This campaign employs a new Migo malware to conduct cryptocurrency mining activities.

Redis, which stands for Remote Dictionary Server, is a widely used in-memory data structure store that serves as a database, cache, and message broker. It is highly regarded for its exceptional performance, particularly in real-time applications within various industries such as gaming, technology, finance, and healthcare.

Unfortunately, hackers are constantly on the lookout for exposed and potentially vulnerable Redis servers, as they can exploit them to hijack resources, steal sensitive data, and carry out other malicious activities.

Migo Malware Strain Disables Security Features

One noteworthy aspect of this new malware strain is using commands that weaken the security features of Redis. By disabling these protective configurations, the attackers are able to carry out cryptojacking activities for prolonged periods of time.

The Migo campaign was identified by analysts from Cado Security, a cloud forensics provider. Through their honeypots, they observed that the attackers employed command-line interface (CLI) commands to disable protective configurations and exploit the targeted server.

Migo Malware Uses CLI to Turn Off Redis Shields

Upon compromising exposed Redis servers, the attackers disable critical security features to allow receiving subsequent commands and making replicas writable.

According to Cado Security, they observed the attackers using the Redis CLI to disable the following configuration options:

  • “protected-mode”: When disabled, this allows external access to the Redis server, making it easier for attackers to remotely execute malicious commands.
  • “replica-read-only”: By turning this off, attackers gain the ability to write directly to replicas, facilitating the spread of malicious payloads or unauthorized data modifications across a distributed Redis infrastructure.
  • “aof-rewrite-incremental-fsync”: Disabling this feature can result in a heavier input/output (IO) load during append-only file (AOF) rewrites. This can potentially aid attackers in remaining undetected by diverting the attention of detection tools with atypical IO patterns.
  • rdb-save-incremental-fsync: turning it off can cause performance degradation during RDB snapshot saves, potentially allowing attackers to cause a denial of service (DoS) or manipulate persistence behavior to their advantage.
Migo Malware Uses CLI to Turn Off Redis Shields

Next, the attackers set up a cron job that downloads a script from Pastebin, which retrieves Migo’s primary payload (/tmp/.migo) from Transfer.sh to be executed as a background task.

This is a UPX-packed ELD binary compiled in Go, featuring compile-time obfuscation to hinder analysis.

Cado says Migo’s primary function is to fetch, install, and launch a modified XMRig (Monero) miner on the compromised endpoint directly from GitHub’s CDN.

The malware establishes persistence for the miner by creating a systemd service and the associated timer, ensuring that it runs continuously, mining cryptocurrency on the account of the attacker.

Migo Also Employs a User Mode Rootkit to Stay Hidden

Cado reports that Migo employs a user-mode rootkit to hide its processes and files, complicating detection and removal.

The Migo malware modifies ‘/etc/ld.so.preload’ to intercept and alter the behavior of system tools that list processes and files, effectively concealing its presence.

The attack concludes with Migo malware setting up firewall rules to block outbound traffic to certain IPs and executing commands to disable SELinux, search for and potentially disable cloud provider monitoring agents, and remove competing miners or payloads.

It also manipulates /etc/hosts to prevent communication with cloud service providers, further hiding its activity.

Migo’s attack chain shows that the threat actor behind it has a strong understanding of the Redis environment and operations.

Although the cryptojacking threat isn’t too severe because it does not lead to disruptions or data corruption, the threat actor could use the access to deliver more danagerous payloads.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!