Security researchers have uncovered a sophisticated malware campaign targeting Redis, a popular data store system.
In particular, Cado Security Labs researchers observed that Migo utilizes new Redis system weakening commands to exploit the data store for cryptojacking purposes.
Unlike previous attacks targeting Redis, this campaign introduces unique techniques to compromise the system's security.
According to an advisory published earlier today, Migo is distributed as a Golang ELF binary, featuring compile-time obfuscation and the ability to persist on Linux hosts.
The malware incorporates a modified version of a popular user mode rootkit to conceal processes and on-disk artifacts.
The initial access stage of the attack involves disabling various configuration options of Redis using specific CLI commands.
The attackers turn off features like protected mode and replica-read-only to facilitate their malicious activities.
The attackers set up a series of commands to execute malicious payloads retrieved from external sources such as Transfer.
These payloads are designed to mine cryptocurrency in the background while remaining undetected.
As mentioned above, one notable aspect of Migo is its use of compile-time obfuscation to conceal important symbols and strings, complicating reverse-engineering efforts.
The malware employs a user-mode rootkit to hide both its processes and on-disk artifacts, making it challenging for security analysts to detect and mitigate the threat.
The campaign's persistence mechanism involves the use of systemd service and timer units to ensure the continuous execution of the malware.
Migo attempts to evade detection by modifying the system's host file to block outbound traffic to domains associated with cloud providers.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 20 Feb 2024 17:00:16 +0000