BLACK HAT EUROPE 2023 - London - The HeadCrab malware, which adds infected devices to a botnet for use in cryptomining and other attacks, has resurfaced with a shiny new variant that allows root access to Redis open source servers.
Researchers from Aqua Security said the second variant of cryptomining malware has infected 1,100 servers; the first variant had already infected at least 1,200 servers.
Second Variant The new variant comes with minor updates that allow an attacker to better hide their actions by removing custom commands and adding encryption to the command and control infrastructure.
Details of both variants were shared today in a presentation by Eitani and his colleague, senior data analyst Nitzan Yaakov.
Aqua Security researchers used the email to contact the HeadCrab creator - who went by the code name Ice9 - but were unable to determine his name or location.
Ice9 told the researchers that they were the first people to email him.
In email conversations with the researchers, Ice9 said the malware does not reduce server performance, and can remove other malware infections.
He also sent the researchers a hash of the malware so they could inspect it.
After detecting the second variant, a new message in the mini blog from Ice9 praised the work the Aqua researchers did.
Ice9 is the only user of HeadCrab, and solely in control of the command and control infrastructure, Eitani notes.
Taking Control HeadCrab infects a Redis server when the attacker uses the SLAVEOF command, downloads a malicious module, and runs two new files: a cryptominer and a configuration file.
The researchers recommended that organizations scan for vulnerabilities and misconfigurations in their servers, and use protected mode in Redis to reduce the chance for infection from HeadCrab.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 07 Dec 2023 18:55:18 +0000