The notorious HeadCrab malware is used to mine cryptocurrencies using Redis servers, and nearly 1,200 servers have been compromised, according to research published Wednesday by cloud security vendor Aqua Security.
Redis is a popular open source database management system (DBMS) first released in 2009. A post on Aqua’s research blog, written by security researcher Assaf Eitani and security data analyst Nitzan Yaakov, noted that because Redis is designed to run in secure and closed mode. network, the DBMS does not come with authentication enabled by default. As such, Eitany and Yaakov wrote, Redis instances have been increasingly targeted by threat actors in recent years.
Aqua Security’s blog post focuses on HeadCrab, a botnet malware first discovered in September 2021 that has compromised at least 1,200 servers to date. The post contains significant technical details for HeadCrab, which Eytani and Yaakov describe as “sophisticated, long-in-development malware” that can evade traditional antivirus products.
“We observed that the attacker went to great lengths to ensure the secrecy of their attack,” the authors wrote. “The malware is designed to bypass volume scans because it runs exclusively in memory and is not stored on disk. Additionally, logs are deleted using the Redis module framework and API. The attacker communicates with legitimate IP addresses, mostly other infected servers. , to avoid detection and reduce the likelihood of being blacklisted by security solutions.”
The attacker uses the “REPLICAOF” command to make the victim’s server a replica of another server controlled by the threat actor. The threat actor uses the malware to then create new Redis commands, enabling further administration and loading of malicious Redis modules on the server.
Aqua Security discovered the malware because one of their honeypots was attacked. The attacker left a text message addressed to Aqua Security within the malware, in which the attacker addresses himself as HeadCrab, hence the name of the malware. The attacker said they provide “unconditional basic income [people] with some flaws.”
Asaf Morag, Aqua’s chief threat analyst, told TechTarget Editorial that the threat actor had no way to connect the honeypot server to the Nautilus team in Aqua Security’s threat research division, and that the actor did not directly contact Aqua. Morag suspects the actor knew about Aqua Security due to the nature of the HeadCrab campaign.
“The attacker discussed the transition from a tool easily detectable by security solutions to a partially fileless and completely fileless malware,” he said. “I think he thought we had the best chance of finding such elusive malware because of us eBPF based technology. And he was right.”
The HeadCrab botnet is primarily used for malicious cryptocurrency mining.
“The miner’s configuration file was pulled from memory and showed that the mining pools were mostly hosted on private legitimate IP addresses,” the post said. “Verification of these IP addresses revealed that they belong to either clean hosts or a leading security company, making detection and attribution difficult. A Monero Pool service was detected in the configuration file and was not used by the miner at startup. The attacker’s Monero wallet showed an expected annual profit of almost $4,500 per worker, much higher than the usual $200 per worker.”
The blog post contained a map of compromised Redis instances, the majority of which appeared to be in the Asia Pacific region, the US, and Western Europe.
Aqua Security made several recommendations in its post, such as ensuring that Redis instances have configurations consistent with security best practices and initiating incident response if there is evidence of server compromise.
Redis did not respond to TechTarget Editorial’s request for comment by press time.
Alexander Kulafi is a writer, journalist, and podcaster in Boston.
Comments