A recent malware campaign has been detected, focusing on gaining initial access through Redis servers, aiming to mine cryptocurrency on compromised Linux hosts.
What is Migo Malware?
Migo Malware is a type of malicious software that targets Redis servers for initial access, primarily aiming to mine cryptocurrency on compromised Linux hosts. It is a novel malware campaign observed in cybersecurity research, indicating a new threat actor or malware variant in the cyber landscape.
“This particular campaign involves the use of several novel system weakening techniques against the data store itself,” noted Cado security researcher Matt Muir in a technical report.
The cryptojacking attack is facilitated by a malware known as Migo, which is a Golang ELF binary. Migo is equipped with compile-time obfuscation and possesses the capability to persist on Linux machines.
The cloud security company detected the campaign when it noticed an “unusual series of commands” aimed at its Redis honeypots. These commands were designed to lower security defenses by disabling specific configuration options, including:
- protected-mode
- replica-read-only
- aof-rewrite-incremental-fsync, and
- rdb-save-incremental-fsync
It’s suspected that these options are disabled to allow for additional commands to be sent to the Redis server from external networks, facilitating future exploitation discreetly. This is followed by the threat actors setting up two Redis keys—one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique observed in early 2023.
The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that’s, in turn, obtained using a curl or wget command.
The Go-based ELF binary resists reverse engineering and downloads an XMRig installer from GitHub. It establishes persistence, terminates competing miners, and launches the miner. Additionally, Migo disables SELinux, searches for uninstallation scripts for monitoring agents in cloud instances, and deploys a modified version of libprocesshider to hide processes and artifacts.
Muir observed that Migo recursively iterates through files and directories under /etc, reading their contents without taking any action. One theory suggests this could be an attempt to confuse sandbox and dynamic analysis solutions by generating benign activity, potentially leading to a non-malicious classification.
“Migo highlights the ongoing evolution of cloud-focused attackers as they refine their techniques to exploit web-facing services,” Muir commented.
Indicators of Compromise
| File | SHA256 |
| /tmp/.migo (packed) | 8cce669c8f9c5304b43d6e91e6332b1cf1113c81f355877dabd25198c3c3f208 |
| /tmp/.migo_worker/.worker.tar.gz | c5dc12dbb9bb51ea8acf93d6349d5bc7fe5ee11b68d6371c1bbb098e21d0f685 |
| /tmp/.migo_worker/.migo_json | 2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec |
| /tmp/.migo_worker/.migo_worker (XMRig) | 364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c |
| system-kernel.service | 5dc4a48ebd4f4be7ffcf3d2c1e1ae4f2640e41ca137a58dbb33b0b249b68759e |
| system-kernel.service | 76ecd546374b24443d76c450cb8ed7226db84681ee725482d5b9ff4ce3273c7f |
| libsystemd.so | 32d32bf0be126e685e898d0ac21d93618f95f405c6400e1c8b0a8a72aa753933 |
| IP Addresses |
| 103[.]79[.]118[.]221 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment