Type
Campaign
Actors
Migo operator
Pub. date
February 20, 2024
Initial access
Software misconfig
Impact
Resource hijacking
Observed techniques
Misconfigured Redis abuse
Observed tools
XMRig
Targeted technologies
Redis
References
https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
A new campaign named Migo targeting Redis servers running on Linux hosts to mine cryptocurrency. The campaign was identified following suspicious activities on a Redis honeypot, where a malicious node disabled several Redis configuration options to weaken security and facilitate unauthorized access. The primary payload, a statically-linked, stripped, and UPX-packed ELF binary, is obfuscated to hinder analysis. It includes a variety of functions for system manipulation, HTTP requests, and file operations. The malware sets up a miner by fetching and configuring XMRig, adjusts system parameters to optimize mining performance, and also performs certain benign actions, possibly to evade detection.