Full Report
A new campaign named Migo targeting Redis servers running on Linux hosts to mine cryptocurrency. The campaign was identified following suspicious activities on a Redis honeypot, where a malicious node disabled several Redis configuration options to weaken security and facilita...
Analysis Summary
# Tool/Technique: Migo Cryptominer Campaign
## Overview
Migo is a cryptocurrency mining campaign specifically targeting Redis servers running on Linux hosts. Its primary goal is resource hijacking through the unauthorized use of victim CPU cycles to mine Monero (XMR). The campaign achieves persistence and operational efficiency by disabling specific Redis security configurations.
## Technical Details
- Type: Malware Family (Cryptominer)
- Platform: Linux
- Capabilities: Disable Redis security settings, download and install XMRig, configure system parameters for mining, obfuscation (UPX-packed, stripped, statically-linked ELF).
- First Seen: Identified around February 2024.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer
- TA0003 - Persistence
- T1543.002 - Create or Modify System Process: systemd service
- TA0002 - Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (via UPX packing)
- TA0007 - Discovery
- T1082 - System Information Discovery (to optimize mining)
- TA0010 - Impact
- T1496 - Resource Hijacking (Cryptomining)
## Functionality
### Core Capabilities
* **Initial Access:** Exploits misconfigured, publicly exposed Redis instances.
* **System Weakening:** Disables several critical Redis configuration options to weaken security and facilitate continued unauthorized access.
* **Payload Deployment:** Downloads and sets up the XMRig cryptocurrency miner.
* **Resource Hijacking:** Runs XMRig to utilize victim CPU resources for mining cryptocurrency (likely Monero).
### Advanced Features
* **Payload Obfuscation:** The primary payload is a statically-linked, stripped, and UPX-packed ELF binary to hinder static and dynamic analysis.
* **System Tuning:** Adjusts system parameters specifically to optimize mining performance.
* **Evasion:** Performs certain "benign actions" potentially designed to evade automated detection systems.
## Indicators of Compromise
- File Hashes: Not specified in the context.
- File Names: Not specified in the context, but the primary payload is an **ELF binary**.
- Registry Keys: Not applicable (Linux targets).
- Network Indicators: Inferred connections to download XMRig and report mining results (e.g., XMR mining pool addresses - defanged).
* *Example structure for suspected C2/Pools:* `[hxxp://xmrig-pool-address]`
- Behavioral Indicators: Attempts to connect to Redis on default or known ports, execution of shell commands to download external binaries, modifications to Redis configuration files (e.g., `redis.conf`).
## Associated Threat Actors
* Migo operator (Campaign designated as "Migo")
## Detection Methods
- Signature-based detection: Signatures for the UPX-packed ELF binary.
- Behavioral detection: Monitoring for processes attempting to disable system security settings or invoking network connections to fetch known crypto-mining software (XMRig).
- YARA rules: Could be developed based on unique strings or structure within the packed ELF.
## Mitigation Strategies
- Prevention: Immediately secure all Redis instances by ensuring they are not exposed to the public internet and enforcing strong authentication (e.g., using `requirepass`).
- Hardening recommendations: Regularly audit running Redis configurations to ensure security settings (like disabling dangerous commands or network bindings) have not been altered by a compromise. Ensure robust network segmentation.
## Related Tools/Techniques
* **Tools Used:** XMRig (Cryptominer)
* **Technique:** Abuse of Misconfigured Services (specifically Redis)
* **Similar Campaigns:** Other cryptojacking operations targeting insecure database/service endpoints (e.g., Drupalgeddon, Docker daemon exploits).