A newly observed cyber campaign attributed to a threat actor known as Mimo (also referred to as “Hezb”) is targeting unpatched Magento content management systems (CMS) and misconfigured Docker environments to deploy cryptocurrency mining software and proxyware. This dual-purpose monetization strategy represents a significant escalation in Mimo’s capabilities and tactics, according to research published by security experts at Cado Labs.
Evolving Attack Vectors
After previously focusing on Craft CMS, Mimo has expanded its operations to exploit vulnerabilities in widely deployed platforms, including Magento and Docker. Attacks involve abusing suspected vulnerabilities in PHP-FPM utilized by Magento, gaining remote access through command injection techniques in Magento plugins. Mimo capitalizes on insecure Docker instances exposed to the internet, deploying malicious containers that fetch and execute remote payloads.
Sophisticated Execution and Stealth Tactics
Once access is achieved, Mimo employs a combination of advanced techniques to maintain persistence, establish remote access, and conceal its activities. The threat actor deploys a modified version of GSocket, a legitimate open-source networking tool, to establish reverse shell access. The tool is renamed to mimic system processes, making identification difficult. The malware uses the Linux memfd_create() system call to load payloads directly into memory, leaving minimal forensic footprint and evading traditional detection mechanisms. To ensure persistence and stealth, the malware abuses the /etc/ld.so.preload file to inject a rootkit. This enables it to hide malicious files and running processes from administrators and security software.
Dual Monetization: Crypto Mining and Proxyware
Mimo’s strategy focuses on financial gain through two distinct channels:
- Cryptocurrency Mining: The malware deploys a customized variant of XMRig, a popular Monero (XMR) miner, exploiting the processing power of compromised systems.
- Proxyware Deployment: The campaign also installs IPRoyal proxy software. This allows Mimo to rent out the victims’ bandwidth to proxy pools, creating a secondary source of revenue.
Even if the resource-intensive mining software is discovered and removed, the low-profile proxyware often remains unnoticed—allowing long-term monetization with minimal risk of detection.
Modularity and Lateral Movement
The main payload, built using the Go programming language, features a modular architecture with capabilities including:
- Persistence mechanisms
- File and process manipulation
- Remote payload execution
- SSH brute-force propagation for lateral movement
- Functioning as a dropper for additional payloads
According to researchers, this design provides operational flexibility and supports scalable attacks across diverse environments.
