- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
Linux Malware Campaign “Migo” Targets Redis For Cryptomining
Security researchers have uncovered a sophisticated malware campaign targeting Redis, a popular data store system. This campaign, dubbed “Migo,” employs novel tactics to compromise Redis servers, with the ultimate goal of mining cryptocurrency on Linux hosts.
In particular, Cado Security Labs researchers observed that Migo utilizes new Redis system weakening commands to exploit the data store for cryptojacking purposes. Unlike previous attacks targeting Redis, this campaign introduces unique techniques to compromise the system’s security.
According to an advisory published earlier today, Migo is distributed as a Golang ELF binary, featuring compile-time obfuscation and the ability to persist on Linux hosts. Additionally, the malware incorporates a modified version of a popular user mode rootkit to conceal processes and on-disk artifacts.
The initial access stage of the attack involves disabling various configuration options of Redis using specific CLI commands. For instance, the attackers turn off features like protected mode and replica-read-only to facilitate their malicious activities.
After gaining access, the attackers set up a series of commands to execute malicious payloads retrieved from external sources such as Transfer.sh and Pastebin. These payloads are designed to mine cryptocurrency in the background while remaining undetected.
As mentioned above, one notable aspect of Migo is its use of compile-time obfuscation to conceal important symbols and strings, complicating reverse-engineering efforts. Additionally, the malware employs a user-mode rootkit to hide both its processes and on-disk artifacts, making it challenging for security analysts to detect and mitigate the threat.
The campaign’s persistence mechanism involves the use of systemd service and timer units to ensure the continuous execution of the malware. Furthermore, Migo attempts to evade detection by modifying the system’s host file to block outbound traffic to domains associated with cloud providers.
“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Cado Security wrote. “In addition, the use of a user-mode rootkit could complicate post-incident forensics of hosts compromised by Migo.”
