A malicious piece of software known as HeadCrab has infiltrated at least 1,200 Redis servers around the world, according to Aqua Security. Redis servers are designed to be used on secure networks and are vulnerable to unauthorized access if exposed to the internet, as they do not have authentication enabled. Redis servers can be set up in clusters, which allows data to be divided and stored on multiple servers. The attackers used the Slaveof command to designate slave servers and then synchronized malicious modules from the master server to deploy the malware. This gave the attackers full control over the infected servers and enabled them to perform various actions. The purpose of the campaign was to create a botnet for cryptocurrency mining, and Aqua Security estimated that the attackers made an annual profit of almost $4,500 per worker from the identified Monero wallet. HeadCrab is a Redis module framework and is able to evade detection from some security products. It deletes the Redis log file or empties it if it was recreated, and it also locates the dynamic loader to execute processes under its name. Additionally, it creates new Redis commands to control the malware and ensure further persistence. Our investigation has revealed that HeadCrab has already taken control of over 1,200 servers, all infected with this malware. It is likely that HeadCrab will continue to use advanced techniques to penetrate servers, either through exploiting misconfigurations or vulnerabilities, Aqua Security concludes.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 02 Feb 2023 13:43:02 +0000