Migo Download

0 views
Skip to first unread message

Curtis Boykins

unread,
Aug 4, 2024, 7:38:22 PM8/4/24
to candverlosuc
CadoSecurity Labs researchers have recently encountered a novel malware campaign targeting Redis for initial access. Whilst Redis is no stranger to exploitation by Linux and cloud-focused attackers, this particular campaign involves the use of a number of novel system weakening techniques against the data store itself.

Introduced in version 3.2.0, protected mode is engaged when a Redis server has been deployed in the default configuration (i.e. bound to all networking interfaces) without having password authentication enabled. In this mode, the Redis server will only accept connections from the loopback interface, any other connections will receive an error.


As the name suggests, the replica-read-only feature configures Redis replicas (exact copies of a master Redis instance) to reject all incoming write commands. This configuration parameter is enabled by default, to prevent accidental writes to replicas which could result in the master/replica topology becoming out of sync.


Cado researchers have previously reported on exploitation of the replication feature being used to deliver malicious payloads to Redis instances. The attackers behind Migo are likely disabling this feature to facilitate future exploitation of the Redis server.


After disabling these configuration parameters, the attacker uses the set command to set the values of two separate Redis keys. One key is assigned a string value corresponding to a malicious attacker-controlled SSH key, and the other to a Cron job that retrieves the malicious primary payload from Transfer.sh (a relatively uncommon distribution mechanism previously covered by Cado) via Pastebin.


The attackers will then follow-up with a series of commands to change the working directory of Redis itself, before saving the contents of the database. If the working directory is one of the Cron directories, the file will be parsed by crond and executed as a normal Cron job.

This is a common attack pattern against Redis servers and has been previously documented by Cado and others.


As can be seen above, the attackers create a key named mimigo and use it to register a Cron job that first checks whether a file exists at /tmp/.xxx1. If not, a simple script is retrieved from Pastebin using either curl or wget, and executed directly in memory by piping through sh.


This in-memory script proceeds to create an empty file at /tmp/.xxx1 (an indicator to the previous stage that the host has been compromised) before retrieving the primary payload from transfer.sh. This payload is saved as /tmp/.migo, before being executed as a background task via nohup.


The Migo primary payload (/tmp/.migo) is delivered as a statically-linked and stripped UPX-packed ELF, compiled from Go code for the x86_64 architecture. The sample uses vanilla UPX packing (i.e. the UPX header is intact) and can be trivially unpacked using upx -d.


With the miner installed and an XMRig configuration set, the malware proceeds to query some information about the system, including the number of logged-in users (via the w binary) and resource limits for users on the system. It also sets the number of Huge Pages available on the system to 128, using the vm.nr_hugepages parameter. These actions are fairly typical for cryptojacking malware.


Once this is complete, the binary is copied to /tmp via the /proc/self/exe symlink ahead of registering persistence, before a series of shell commands are executed. An example of these commands is listed below.


As seen in the commands above, Migo achieves persistence on the target host via the use of a systemd service and associated systemd timer. These are named system-kernel.timer and system-kernel.service respectively.


The service unit is straightforward, it simply ensures the Migo payload is executable before invoking it. The malware also configures the allowed number of open file descriptors (via the LimitNOFILE parameter) and increases the CPU shares weighting to 1000000, allowing the miner to fully utilise the CPU.


This service is controlled by an associated systemd timer, allowing it to be executed 5 seconds after the machine boots, and executed again every 5 seconds following that. This, in combination with the infection marker mentioned previously, ensures the miner is kept running and can effectively contribute to the mining pool.


Interestingly, Migo will attempt to hide on-disk artefacts dropped by itself via the use of a user mode rootkit. These artefacts include the contents /tmp/.migo_worker directory, where the malware stores the miner and configuration file, as well as the main payload located at /tmp/.migo.


To achieve this, the malware updates /etc/ld.so.preload to point at a Linux shared object file located at /usr/local/lib/libsystemd.so, effectively conducting Dynamic Linker hijacking on the Redis host. This shared object is embedded within the Migo primary payload and is extracted at runtime.


Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services. The campaign utilised a number of Redis system weakening commands, in an attempt to disable security features of the data store that may impede their initial access attempts. These commands have not previously been reported in campaigns leveraging Redis for initial access.


The developers of Migo also appear to be aware of the malware analysis process, taking additional steps to obfuscate symbols and strings found in the pclntab structure that could aid reverse engineering. Even the use of Go to produce a compiled binary as the primary payload, rather than using a series of shell scripts as seen in previous campaigns, suggests that those behind Migo are continuing to hone their techniques and complicate the analysis process.


In addition, the use of a user mode rootkit could complicate post-incident forensics of hosts compromised by Migo. Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artefacts in addition to the malicious processes themselves.


If Ascender fails to perform as promised within the warranty period, you can contact our after-sales service through our soon-to-be-announced local Migo Robotics distributor or email us at he...@migorobotics.com.


Ascender's core components and battery are covered by a 12-month warranty or local regulations, with an additional six-month warranty extension if we reach our stretch goal. However, this warranty does not cover accessories such as side brushes, roller brushes, and dust bags. The warranty period commences on the delivery date of the product(s).


We offer a 30-day hassle-free refund/exchange on all Kickstarter campaign orders. A $20 shipping fee will be applied using our provided shipping label. However, there will be no shipping/restocking fees if any product defects occur. Please include all parts in their original packaging when returning. If your reward has a defect, we offer warranties for product defects. For warranty claims and return-related inquiries, please contact us at he...@migorobotics.com.


Migo Robotics ("we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.migorobotics.com, including any other media form, media channel, mobile website, or mobile application related or connected thereto (collectively, the "Site").


We collect information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("personal information"). In particular, our Site has collected the following categories of personal information from its consumers within the last twelve (12) months:


Migos (/ˈmiːɡoʊs/) were[2][3][4] an American hip hop group founded in North Atlanta, specifically Lawrenceville, Georgia, in 2008.[5] The group was composed of rapper Quavo, his nephew Takeoff, and their mutual friend Offset. Quavo is from Athens, Georgia, while Offset and Takeoff were born and raised in nearby Lawrenceville. As a group, they were managed by Coach K, the former manager of Gucci Mane and Jeezy,[6] and frequently collaborated with producers DJ Durel, Murda Beatz, Zaytoven, and Buddah Bless.[7][8] Recognized for their contribution to trap music in the 2010s, Billboard stated that the group "influenced pop culture and the entire English language by bringing their North Atlanta roots to the mainstream".[9]


Migos signed with Quality Control Music and 300 Entertainment to release their debut studio album Yung Rich Nation (2015), which was met with positive critical reception and peaked at number 17 on the Billboard 200. Their second album, Culture (2017), debuted atop the chart[10][11] and was supported by "Bad and Boujee". After departing 300 Entertainment in favor of a joint venture with Motown and Capitol Records in February 2017,[12] the trio saw their furthest commercial success with their third album, Culture II (2018), which became their second to peak the chart and sold an estimated 200,000 album-equivalent units in its first week.[13] Their fourth album, Culture III (2021), peaked at number two on the Billboard 200.


In 2016, the group portrayed fictionalized versions of themselves in the first season of the Donald Glover comedy-drama television series Atlanta. On November 1, 2022, Takeoff was fatally shot outside of a bowling alley in Houston, effectively causing its two remaining members to disband the following year.[14]


Migos was formed in 2008, by Quavo (born Quavious Keyate Marshall),[18] Takeoff (born Kirshnik Khari Ball),[19] and Offset (born Kiari Kendrell Cephus),[20] and they originally called themselves the Polo Club. The name 'Migos' is a take on 'Three Amigos', as the three members grew up together.[21] Takeoff was Quavo's nephew; despite the general public believing that Offset and Quavo were cousins, Offset later revealed he is not related to either of them and was just a classmate of Quavo.[22] The three of them grew up together in metro Atlanta, approximately 30 minutes northeast of Downtown in Gwinnett County. "I ain't going to sit here like, my neighborhood was hard, and I had to get out there and grind. We made it hard for ourselves. We chose to stay on the streets", Quavo said.[23] The group released their first full-length project, a mixtape titled Juug Season, on August 25, 2011. They followed with the mixtape No Label on June 1, 2012. Assisted by Tucker Toenjes and Mitchell Thomas.

3a8082e126
Reply all
Reply to author
Forward
0 new messages