Since September 2021, about a thousand Redis servers have been infected by new stealthy malware meant to hunt down unprotected Redis servers online and create a botnet that mines for the Monero cryptocurrency. The malware, nicknamed HeadCrab by Aqua Security experts Nitzan Yaakov and Asaf Eitani, has so far infected at least 1,200 of these servers, which are also used to look for additional targets online.
According to the researchers, “this sophisticated threat actor compromises a huge number of Redis servers using a state-of-the-art, proprietary malware that is undetectable by agentless and traditional anti-virus solutions.” Along with the HeadCrab malware, we also found a unique way to spot its infestations on Redis servers. Applying our method to exposed servers in the wild resulted in the discovery of about 1,200 actively infected systems.”
Because Redis servers are intended to be utilized within an organization’s network and should not be exposed to Internet access, the threat actors responsible for this botnet take advantage of the fact that authentication is not enabled by default on these servers. If administrators fail to secure them and unintentionally (or purposely) set them up so they can be accessed from outside of their local network, attackers can quickly hack and take control of them using malware and other malicious tools.
Meet HeadCrab – a new Linux malware utilizing Redis modules to compromise exposed servers.
— UltraLutra (@ultra_lutra1) February 1, 2023
We uncovered this complex malware which contains some impressive technical capabilities and has a strong emphasis on op sec.#malware #linux #headcrabhttps://t.co/5rRM5nMxqi
HeadCrab Deletes All Logs And Communicates With Servers
The malicious actors send a ‘SLAVEOF’ command to synchronize a master server under their control to install the HeadCrab malware onto the newly compromised system once they have gained access to servers that don’t require authentication.
After being installed and started, HeadCrab gives the attackers all the tools necessary to seize total control of the targeted server and include it in their botnet for mining cryptocurrency.
Additionally, to avoid anti-malware scans on infected machines, it will execute in memory, and samples examined by Aqua Security have not been detected on VirusTotal. In order to avoid detection, it also deletes all logs and only communicates with other servers under the authority of its masters.
The researchers continued, “To avoid detection and lessen the possibility of being blacklisted by security solutions, the attacker connects with genuine IP addresses, primarily other compromised servers.
“Redis processes, which are largely responsible for the infection, are not anticipated to raise any security concerns. In order to prevent disk writes, kernel modules and payloads are loaded directly from memory as well as memory-only files.”
They also discovered that in order to make attribution and detection more complex, the attackers mostly exploit mining pools housed on previously compromised machines. Additionally, the Monero wallet connected to this botnet revealed that the attackers are earning an estimated $4,500 per worker year, which is far more than the typical $200 per worker earned by similar operations.
Administrators are encouraged to turn on protected mode, which instructs the instance to only react to the loopback address, reject connections from other IP addresses, and ensure that only clients within their networks may access their Redis servers.
Conclusion
Since the beginning of September 2021, at least 1,200 Redis database servers have been captured into a botnet by the “elusive and dangerous threat” known as HeadCrab. According to a report made available on Wednesday by Aqua security researcher Asaf Eitani, “This advanced threat actor compromises a huge number of Redis servers using a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions.” To date, a sizable number of illnesses have been reported in China, Malaysia, India, Germany, the United Kingdom, and the United States. The threat actor’s origins are currently unknown. The discoveries came two months after the cloud security company revealed a Go-based malware program with the codename Redigo that was discovered infecting Redis servers.