
Unseen Threat Infiltrating Redis Servers: The Migo Malware Campaign and Emerging Dangers
In February, security researchers encountered a new malware campaign targeting Redis for initial access. The malware, dubbed Migo by developers, aims to compromise Redis servers in order to mine cryptocurrency on the underlying Linux host.
Indicators of Compromise
Domains (2)
get.bi-chi.comt00ls.ruHashes (9)
364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec8f633ade35df4f992eb28a2c5bc37cef76ecd546374b24443d76c450cb8ed7226db84681ee725482d5b9ff4ce3273c7f6b2fe529339896b22328dec8936219e7b8e3252f5dc4a48ebd4f4be7ffcf3d2c1e1ae4f2640e41ca137a58dbb33b0b249b68759e8cce669c8f9c5304b43d6e91e6332b1cf1113c81f355877dabd25198c3c3f20832d32bf0be126e685e898d0ac21d93618f95f405c6400e1c8b0a8a72aa753933C5dc12dbb9bb51ea8acf93d6349d5bc7fe5ee11b68d6371c1bbb098e21d0f685IPv4 (9)
157.148.45.20183.2.143.16311.149.252.51103.79.118.22111.177.125.11611.149.252.5711.149.252.62120.232.65.22311.177.124.86Notes
<span id="docs-internal-guid-4b5e224c-7fff-b13e-1023-ab95ec31eac5"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSIONS</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The Migo malware campaign represents a significant evolution in cyber threats targeting cloud-based services and Redis servers. By employing sophisticated tactics such as novel system weakening commands, compile-time obfuscation, and the use of a user-mode rootkit, attackers have demonstrated an increasing sophistication in their approaches to bypass security measures and facilitate unauthorized cryptocurrency mining.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">This campaign underscores the critical need for organizations to adopt advanced cybersecurity solutions that can detect and mitigate such complex threats. SOCRadar offers a comprehensive cybersecurity platform that can significantly benefit organizations looking to protect their systems against such advanced threats. Specifically, the Threat Intelligence module within the SOCRadar Platform is invaluable for organizations seeking to stay ahead of emerging threats like the Migo malware.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The Threat Intelligence module provides real-time insights and actionable intelligence on the latest cyber threats, enabling organizations to proactively identify and respond to potential vulnerabilities in their systems. By leveraging this module, organizations can gain a deeper understanding of the tactics, techniques, and procedures (TTPs) used by attackers, such as those behind the Migo campaign. This knowledge allows for the implementation of targeted security measures to prevent initial access and ensure the resilience of critical systems against sophisticated attacks.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Moreover, SOCRadar's comprehensive approach to cybersecurity, encompassing early detection, detailed threat analysis, and proactive mitigation recommendations, makes it an essential tool in the arsenal of any organization aiming to protect itself from the ever-evolving landscape of cyber threats. In the face of campaigns like Migo, which seek to exploit web-facing services and employ advanced evasion techniques, the intelligence and insights provided by SOCRadar's Threat Intelligence module are more crucial than ever.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">In conclusion, the Migo malware campaign highlights the necessity for robust, intelligence-driven cybersecurity solutions. SOCRadar's Threat Intelligence module stands out as a powerful resource for organizations aiming to navigate the complexities of today's cyber threat environment effectively. By leveraging SOCRadar, organizations can not only respond more efficiently to immediate threats but also adopt a more strategic approach to cybersecurity, ultimately enhancing their overall security posture and resilience against sophisticated cyber attacks.</span></p><br><br></span>
Mitigation
<span id="docs-internal-guid-3fa0663f-7fff-4aa8-604e-5a7050070394"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATIONS</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ATT&CK IDS:</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1543.003 - Windows Service, </span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1140 - Deobfuscate/Decode Files or Information, </span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059.001 - PowerShell, T1546.015 - Component Object Model Hijacking, </span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059.003 - Windows Command Shell, T1574.002 - DLL Side-Loading</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Protected mode functions as a security feature for Redis servers, intended to safeguard against accidental exposure to public networks.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Launched with Redis version 3.2.0, this feature activates when the server is set up with its default settings—binding to all network interfaces without the activation of password protection. Under protected mode, the server limits connections exclusively to the loopback interface; attempts from any other sources are met with an error message.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It's probable that during the initial phase of unauthorized access, attackers disabled this mode to facilitate the transmission of commands to the Redis server over the internet. Mitigating the risks associated with the exposure of Redis servers, particularly in the context of disabling protected mode, involves implementing a combination of best practices and security measures:</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enable Authentication:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Use the requirepass configuration directive to set a strong password for accessing the Redis server. This prevents unauthorized access to the server.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Firewalls:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Configure firewalls to restrict access to the Redis server, allowing connections only from trusted IP addresses or networks.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Bind to Specific Interfaces:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Instead of binding to all network interfaces (0.0.0.0), configure Redis to bind only to specific, secure interfaces. This can significantly reduce the risk of external attacks.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enable TLS/SSL:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Encrypt data in transit by enabling TLS/SSL connections to Redis, protecting data from being intercepted by attackers.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regular Updates: </span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Keep the Redis server and its dependencies updated to the latest versions. This ensures that any known vulnerabilities are patched.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor Access and Logs:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Regularly monitor access logs for unauthorized attempts to access the Redis server. Implementing real-time alerting for suspicious activities can help in early detection of potential breaches.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit Commands:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Use the rename-command directive in the Redis configuration file to rename or disable dangerous commands that can be exploited by attackers, such as FLUSHDB, FLUSHALL, and CONFIG.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Segmentation:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Isolate the Redis server within a secure network segment to limit the potential impact of a breach and restrict lateral movement by attackers.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:10pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Backup and Disaster Recovery:</span><span style="font-size:10pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"> Regularly backup Redis data and have a disaster recovery plan in place. This ensures data integrity and availability in the event of an attack.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><b style="font-weight:normal;" id="docs-internal-guid-e2b2f888-7fff-70bb-aa0a-3bebdf20a59f"><br></b></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:10pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Use Protected Mode Wisely</span><span style="font-size:10pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">: If for any reason protected mode must be disabled, ensure that other security measures are in place and properly configured to protect the server.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:10pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">By combining these strategies, the security posture around Redis servers can be significantly enhanced, reducing the risk of exploitation and unauthorized access.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>