Threat Research

Migo – a Redis Miner with Novel System Weakening Techniques – Cado Security | Cloud Forensics & Incident Response

CadoSecurity

Migo is a Go-compiled cryptominer that targets exposed Redis instances by disabling Redis security settings, writing malicious keys that install a cron-based downloader, and executing a packed ELF miner which deploys XMRig. The campaign also uses compile-time string obfuscation, a user-mode rootkit via /etc/ld.so.preload to hide processes and files, and persistence through a systemd service/timer while blocking cloud-provider monitoring. #Migo #Redis #XMRig #libsystemd_so #CadoSecurity

Keypoints

  • Attackers used Redis CLI config set commands to disable protections (e.g., protected-mode, replica-read-only, incremental fsync settings) to enable remote exploitation.
  • Initial execution is achieved by writing malicious values to Redis keys: an SSH key and a Cron entry that fetches a stage script from Pastebin which downloads the primary payload from transfer.sh.
  • The primary payload is a statically-linked, UPX-packed Go ELF that uses compile-time obfuscation of the pclntab to hinder symbol recovery and analysis.
  • Migo fetches and installs XMRig into /tmp/.migo_worker, writes a tailored xmrig config, adjusts hugepages, and launches the miner as a background process.
  • Persistence is achieved via a systemd unit and a systemd timer (system-kernel.service / system-kernel.timer) configured to run frequently and with elevated CPU shares.
  • The malware disables SELinux, adds host-file blackholes and iptables rules to block cloud-provider monitoring, and kills competing miners/processes.
  • Process and file hiding are implemented via a user-mode rootkit extracted to /usr/local/lib/libsystemd.so and activated through /etc/ld.so.preload.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting Redis: [‘novel malware campaign targeting Redis for initial access.’]
  • [T1053] Scheduled Task/Job – Attackers register a cron-based payload and schedule recurring execution: [‘the file will be parsed by crond and executed as a normal Cron job.’]
  • [T1543] Create or Modify System Process – Persistence via systemd service/timer (system-kernel.service / system-kernel.timer): [‘Migo achieves persistence on the target host via the use of a systemd service and associated systemd timer.’]
  • [T1574] Hijack Execution Flow – Dynamic linker hijacking via /etc/ld.so.preload to load a malicious shared object: [‘updates /etc/ld.so.preload to point at a Linux shared object file located at /usr/local/lib/libsystemd.so’]
  • [T1027] Obfuscated Files or Information – Compile-time obfuscation used to hide Go symbols/strings in the pclntab: [‘compile-time obfuscator to obscure various strings relating to internal symbols.’]
  • [T1070] Indicator Removal on Host – Use of a user-mode rootkit to hide processes and on-disk artefacts: [‘the malware intercepts invocations of file and process listing tools (ls, ps, top etc) and hides the appropriate lines from the tool’s output.’]
  • [T1562] Impair Defenses – Disabling security controls (Redis protections, SELinux) and modifying hosts/iptables to impede monitoring: [‘this feature is disabled in Cado’s honeypot environment, which is why these commands and additional actions on objective succeed.’]

Indicators of Compromise

  • [File Hash] Migo payloads and components – 8cce669c8f9c5304b43d6e91e6332b1cf1113c81f355877dabd25198c3c3f208 (/tmp/.migo), c5dc12dbb9bb51ea8acf93d6349d5bc7fe5ee11b68d6371c1bbb098e21d0f685 (/tmp/.migo_worker/.worker.tar.gz), and 5 more hashes.
  • [File Path] Dropped filenames and persistence units – /tmp/.migo, /tmp/.migo_worker/.migo_worker (XMRig), system-kernel.service / system-kernel.timer.
  • [IP Address] Malicious infrastructure observed – 103[.]79[.]118[.]221 (initial Redis connection to honeypot).
  • [Domain/URL] Download and distribution endpoints – transfer.sh (primary payload host), pastebin (stage script), githubusercontent (XMRig CDN), and mining pools such as xmrpool.eu, pool.hashvault.pro.

When targeting Redis instances the adversary first disables built-in safeguards using Redis CONFIG SET to turn off protected-mode, replica-read-only, and incremental fsync options, then writes keys containing an SSH key and a cron entry. The cron entry checks for an infection marker, retrieves a small shell script from Pastebin (which in turn pulls the primary UPX-packed Go ELF from transfer.sh), saves it to /tmp/.migo and launches it via nohup, enabling in-memory execution and initial persistence.

The /tmp/.migo binary unpacks (UPX -d), creates /tmp/.migo_running as an infection marker, and downloads a tar.gz XMRig installer from GitHub CDN into /tmp/.migo_worker, unpacking the miner binary (/tmp/.migo_worker/.migo_worker) and writing a customized .migo.json config. The malware adjusts system settings useful for mining (sets vm.nr_hugepages=128, queries logged-in users and resource limits), rewrites the miner config with pool credentials, and executes the miner worker process to join XMR pools.

For stealth and persistence Migo copies itself to /tmp, disables SELinux, adds /etc/hosts blackholes and iptables rules to block cloud-provider monitoring, kills competing miners, and registers a systemd service + timer (system-kernel.service/system-kernel.timer) configured to run every 5 seconds with high CPU shares. It also extracts a malicious shared object and writes /etc/ld.so.preload to load /usr/local/lib/libsystemd.so, a libprocesshider-based rootkit that intercepts directory/process listings to hide specified files and processes, while compile-time pclntab obfuscation complicates reverse engineering.

Read more: https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint