New stealthy malware designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021 to build a botnet that mines for Monero cryptocurrency. Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has so far ensnared at least 1,200 such servers, which are also used to scan for more targets online.
“This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers,” the researchers said.
“We discovered not only the HeadCrab malware but also a unique method to detect its infections in Redis servers. Our method found approximately 1,200 actively infected servers when applied to exposed servers in the wild.”
The threat actors behind this botnet take advantage of the fact that Redis servers don’t have authentication enabled by default, as they are designed to be used within an organization’s network and shouldn’t be exposed to Internet access.
If admins don’t secure them and accidentally (or intentionally) configure them to be accessible from outside their local network, attackers can easily compromise and hijack them using malicious tools or malware.
Once they gain access to servers that don’t require authentication, the malicious actors issue a ‘SLAVEOF’ command to synchronize a master server under their control to deploy the HeadCrab malware onto the newly hijacked system.
After being installed and launched, HeadCrab provides the attackers with all the capabilities required to take complete control of the targeted server and add it to their cryptomining botnet.
It will also run in memory on compromised devices to bypass anti-malware scans, and samples analyzed by Aqua Security have shown no detections on VirusTotal.
It also deletes all logs and only communicates to other servers controlled by its masters to evade detection.
“The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions,” the researchers added.
“The malware is primarily based on Redis processes which are unlikely to be flagged as malicious. Payloads are loaded through memfd, memory-only files, and kernel modules are loaded directly from memory, avoiding disk writes.”
While analyzing the malware, they also found that the attackers mainly use mining pools hosted on previously compromised servers to complicate attribution and detection.
Furthermore, the Monero wallet linked to this botnet showed that the attackers are raking in an estimated annual profit of around $4,500 per worker, a lot higher than the usual $200/worker similar operations make.
To defend their Redis servers, admins are advised to ensure that only clients within their networks can access them, to disable the “slaveof” feature if it’s unused, and enable protected mode, which configures the instance to only respond to the loopback address and refuse connections from other IP addresses.