Cado Security has revealed that it discovered a new malware, Migo, that aims to compromise Redis servers for mining cryptocurrency demonstrating that cloud-focused attackers continue refining techniques and improving their ability to exploit web-facing services.
This campaign utilized several Redis system weakening commands to turn off security features of the data store that may impede their initial access attempts. These commands have not previously been reported in campaigns leveraging Redis for initial access.
Migo is taking steps to obfuscate and aid reverse engineering. Rather than a series of shell scripts, as seen in previous campaigns, Migo is delivered to produce a compiled binary as the primary payload. It continues to hone its techniques and complicate the analysis process.
The malware deploys a modified version of a popular user-mode rootkit to hide processes and on-disk artifacts. Although cryptojacking campaigns frequently use process hiders, this variant includes the ability to hide on-disk artifacts in addition to malicious processes.
You can read this report here.
Related
This entry was posted on February 20, 2024 at 9:04 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Redis Malware In The Wild Exploits System-Weakening Commands for Cryptojacking Attack
Cado Security has revealed that it discovered a new malware, Migo, that aims to compromise Redis servers for mining cryptocurrency demonstrating that cloud-focused attackers continue refining techniques and improving their ability to exploit web-facing services.
This campaign utilized several Redis system weakening commands to turn off security features of the data store that may impede their initial access attempts. These commands have not previously been reported in campaigns leveraging Redis for initial access.
Migo is taking steps to obfuscate and aid reverse engineering. Rather than a series of shell scripts, as seen in previous campaigns, Migo is delivered to produce a compiled binary as the primary payload. It continues to hone its techniques and complicate the analysis process.
The malware deploys a modified version of a popular user-mode rootkit to hide processes and on-disk artifacts. Although cryptojacking campaigns frequently use process hiders, this variant includes the ability to hide on-disk artifacts in addition to malicious processes.
You can read this report here.
Share this:
Like this:
Related
This entry was posted on February 20, 2024 at 9:04 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.