A new stealthy malware, HeadCrab, designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021. Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, the malware has so far ensnared at least 1,200 such servers, which are also used to scan for more targets online. This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. The researchers found approximately 1,200 actively infected servers when applied to exposed servers in the wild. The malicious actors behind this botnet take advantage of the fact that Redis servers don't have authentication enabled by default, as they are designed to be used within an organization's network and should not be exposed to Internet access. If admins don't secure them and accidentally configure them to be accessible from outside their local network, attackers can easily compromise and hijack them using malicious tools or malware. Once they gain access to servers that don't require authentication, the malicious actors issue a SLAVEOF command to synchronize a master server under their control to deploy the HeadCrab malware onto the newly hijacked system. After being installed and launched, HeadCrab provides the attackers with all the capabilities required to take complete control of the targeted server and add it to their cryptomining botnet. It will also run in memory on compromised devices to bypass anti-malware scans, and samples analyzed by Aqua Security have shown no detections on VirusTotal. It also deletes all logs and only communicates to other servers controlled by its masters to evade detection. The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions. The malware is primarily based on Redis processes which are unlikely to be flagged as malicious. Payloads are loaded through memfd, memory-only files, and kernel modules are loaded directly from memory, avoiding disk writes. The attackers mainly use mining pools hosted on previously compromised servers to complicate attribution and detection. The Monero wallet linked to this botnet showed that the attackers are raking in an estimated annual profit of around $4,500 per worker. To defend their Redis servers, admins are advised to ensure that only clients within their networks can access them, to disable the Slaveof feature if it's unused, and enable protected mode, which configures the instance to only respond to the loopback address and refuse connections from other IP addresses.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 01 Feb 2023 23:56:03 +0000